All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] x86/intel_rdt: Fix locking in rdtgroup_schemata_write
@ 2017-04-11  7:14 Jiri Olsa
  2017-04-11  8:03 ` [tip:x86/urgent] x86/intel_rdt: Fix locking in rdtgroup_schemata_write() tip-bot for Jiri Olsa
  0 siblings, 1 reply; 2+ messages in thread
From: Jiri Olsa @ 2017-04-11  7:14 UTC (permalink / raw)
  To: Fenghua Yu
  Cc: Peter Zijlstra, Peter Zijlstra, Mike Galbraith, Shaohua Li, lkml,
	Ingo Molnar, Thomas Gleixner

Currently we release the schemata lock before we free the
resource's temporary tmp_cbms allocation, which could be
already used another concurrent access and crashed like:

  BUG: unable to handle kernel NULL pointer dereference at           (null)
  IP: rdtgroup_schemata_write+0x2d1/0x460
  ...
  SNIP
  ...
  rdtgroup_file_write+0x1b/0x30
  kernfs_fop_write+0xe0/0x160
  vfs_write+0xbd/0x1e0
  SyS_write+0x7f/0xe0
  system_call_fastpath+0x16/0x1b

Moving the unlock after the release code.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Shaohua Li <shli@fb.com>
---
 arch/x86/kernel/cpu/intel_rdt_schemata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/intel_rdt_schemata.c b/arch/x86/kernel/cpu/intel_rdt_schemata.c
index f369cb8db0d5..badd2b31a560 100644
--- a/arch/x86/kernel/cpu/intel_rdt_schemata.c
+++ b/arch/x86/kernel/cpu/intel_rdt_schemata.c
@@ -200,11 +200,11 @@ ssize_t rdtgroup_schemata_write(struct kernfs_open_file *of,
 	}
 
 out:
-	rdtgroup_kn_unlock(of->kn);
 	for_each_enabled_rdt_resource(r) {
 		kfree(r->tmp_cbms);
 		r->tmp_cbms = NULL;
 	}
+	rdtgroup_kn_unlock(of->kn);
 	return ret ?: nbytes;
 }
 
-- 
2.9.3

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [tip:x86/urgent] x86/intel_rdt: Fix locking in rdtgroup_schemata_write()
  2017-04-11  7:14 [PATCH] x86/intel_rdt: Fix locking in rdtgroup_schemata_write Jiri Olsa
@ 2017-04-11  8:03 ` tip-bot for Jiri Olsa
  0 siblings, 0 replies; 2+ messages in thread
From: tip-bot for Jiri Olsa @ 2017-04-11  8:03 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: tglx, shli, hpa, mingo, peterz, jolsa, fenghua.yu, linux-kernel,
	efault, a.p.zijlstra

Commit-ID:  7f00f388712b29005782bad7e4b25942620f3b9c
Gitweb:     http://git.kernel.org/tip/7f00f388712b29005782bad7e4b25942620f3b9c
Author:     Jiri Olsa <jolsa@kernel.org>
AuthorDate: Tue, 11 Apr 2017 09:14:46 +0200
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Tue, 11 Apr 2017 09:48:12 +0200

x86/intel_rdt: Fix locking in rdtgroup_schemata_write()

The schemata lock is released before freeing the resource's temporary
tmp_cbms allocation. That's racy versus another write which allocates and
uses new temporary storage, resulting in memory leaks, freeing in use
memory, double a free or any combination of those.

Move the unlock after the release code.

Fixes: 60ec2440c63d ("x86/intel_rdt: Add schemata file")
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Shaohua Li <shli@fb.com>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20170411071446.15241-1-jolsa@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
 arch/x86/kernel/cpu/intel_rdt_schemata.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/intel_rdt_schemata.c b/arch/x86/kernel/cpu/intel_rdt_schemata.c
index f369cb8..badd2b3 100644
--- a/arch/x86/kernel/cpu/intel_rdt_schemata.c
+++ b/arch/x86/kernel/cpu/intel_rdt_schemata.c
@@ -200,11 +200,11 @@ ssize_t rdtgroup_schemata_write(struct kernfs_open_file *of,
 	}
 
 out:
-	rdtgroup_kn_unlock(of->kn);
 	for_each_enabled_rdt_resource(r) {
 		kfree(r->tmp_cbms);
 		r->tmp_cbms = NULL;
 	}
+	rdtgroup_kn_unlock(of->kn);
 	return ret ?: nbytes;
 }
 

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-04-11  8:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-11  7:14 [PATCH] x86/intel_rdt: Fix locking in rdtgroup_schemata_write Jiri Olsa
2017-04-11  8:03 ` [tip:x86/urgent] x86/intel_rdt: Fix locking in rdtgroup_schemata_write() tip-bot for Jiri Olsa

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.