From: James Morse <james.morse@arm.com>
To: linux-edac@vger.kernel.org
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>,
Borislav Petkov <bp@alien8.de>, Tony Luck <tony.luck@intel.com>,
Robert Richter <rrichter@marvell.com>,
John Garry <john.garry@huawei.com>
Subject: [PATCH 0/2] EDAC, ghes: Fix use after free and add reference
Date: Mon, 14 Oct 2019 18:19:17 +0100 [thread overview]
Message-ID: <20191014171919.85044-1-james.morse@arm.com> (raw)
Hello,
ghes_edac can only be registered once, later attempts will silently
do nothing as the driver is already setup. The unregister path also
only expects to be called once, but doesn't check.
This leads to KASAN splats if multiple GHES entries are unregistered,
as the free()d memory is dereferenced, and if we're lucky, free()d
a second time.
Link: lore.kernel.org/r/304df85b-8b56-b77e-1a11-aa23769f2e7c@huawei.com
Patch 1 is the minimum needed to prevent the dereference and double
free, but this does expose the lack of symmetry. If we unregister
one GHES entry, subsequent notifications will be lost.
Unregistering is unsafe if another CPU is using the free()d memory in
ghes_edac_report_mem_error().
To fix this, Patch 2 uses ghes_init as a reference count.
We can now unbind all the GHES entries, causing ghes_edac to be
unregistered, and start rebinding them again.
Thanks,
James Morse (2):
EDAC, ghes: Fix Use after free in ghes_edac remove path
EDAC, ghes: Reference count GHES users of ghes_edac
drivers/edac/ghes_edac.c | 4 ++++
1 file changed, 4 insertions(+)
--
2.20.1
next reply other threads:[~2019-10-14 17:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-14 17:19 James Morse [this message]
2019-10-14 17:19 ` [PATCH 1/2] EDAC, ghes: Fix Use after free in ghes_edac remove path James Morse
2019-10-14 17:19 ` [PATCH 2/2] EDAC, ghes: Reference count GHES users of ghes_edac James Morse
2019-10-14 17:30 ` [PATCH 0/2] EDAC, ghes: Fix use after free and add reference Borislav Petkov
2019-10-14 17:40 ` James Morse
2019-10-14 17:53 ` Borislav Petkov
2019-10-16 15:17 ` Borislav Petkov
2019-10-16 15:30 ` James Morse
2019-10-16 18:50 ` Borislav Petkov
2019-10-21 7:37 ` Borislav Petkov
2019-10-21 10:52 ` Robert Richter
2019-10-22 13:25 ` Robert Richter
2019-10-15 13:25 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191014171919.85044-1-james.morse@arm.com \
--to=james.morse@arm.com \
--cc=bp@alien8.de \
--cc=john.garry@huawei.com \
--cc=linux-edac@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=rrichter@marvell.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).