Stable Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] x86/mce/amd: Fix kobject lifetime
@ 2020-02-14  8:28 Borislav Petkov
  2020-02-14  8:32 ` Borislav Petkov
  2020-02-15 13:34 ` [tip: ras/urgent] " tip-bot2 for Thomas Gleixner
  0 siblings, 2 replies; 8+ messages in thread
From: Borislav Petkov @ 2020-02-14  8:28 UTC (permalink / raw)
  To: X86 ML; +Cc: Yazen Ghannam, LKML, stable

From: Thomas Gleixner <tglx@linutronix.de>

Accessing the MCA thresholding controls in sysfs concurrently with CPU
hotplug can lead to a couple of KASAN-reported issues:

  BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
  Read of size 8 at addr ffff888367578940 by task grep/4019

and

  BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
  Read of size 2 at addr ffff888368a05514 by task grep/4454

for example. Both result from the fact that the threshold block
creation/teardown code frees the descriptor memory itself instead of
defining proper ->release function and leaving it to the driver core to
take care of that, after all sysfs accesses have completed.

Do that and get rid of the custom freeing code, fixing the above UAFs in
the process.

  [ bp: write commit message. ]

Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org>
---
 arch/x86/kernel/cpu/mce/amd.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c
index e7313e5c497c..52de616a8065 100644
--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -1163,9 +1163,12 @@ static const struct sysfs_ops threshold_ops = {
 	.store			= store,
 };
 
+static void threshold_block_release(struct kobject *kobj);
+
 static struct kobj_type threshold_ktype = {
 	.sysfs_ops		= &threshold_ops,
 	.default_attrs		= default_attrs,
+	.release		= threshold_block_release,
 };
 
 static const char *get_name(unsigned int bank, struct threshold_block *b)
@@ -1367,8 +1370,12 @@ static int threshold_create_bank(unsigned int cpu, unsigned int bank)
 	return err;
 }
 
-static void deallocate_threshold_block(unsigned int cpu,
-						 unsigned int bank)
+static void threshold_block_release(struct kobject *kobj)
+{
+	kfree(to_block(kobj));
+}
+
+static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
 {
 	struct threshold_block *pos = NULL;
 	struct threshold_block *tmp = NULL;
@@ -1378,13 +1385,11 @@ static void deallocate_threshold_block(unsigned int cpu,
 		return;
 
 	list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
-		kobject_put(&pos->kobj);
 		list_del(&pos->miscj);
-		kfree(pos);
+		kobject_put(&pos->kobj);
 	}
 
-	kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
-	per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
+	kobject_put(&head->blocks->kobj);
 }
 
 static void __threshold_remove_blocks(struct threshold_bank *b)
-- 
2.21.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86/mce/amd: Fix kobject lifetime
  2020-02-14  8:28 [PATCH] x86/mce/amd: Fix kobject lifetime Borislav Petkov
@ 2020-02-14  8:32 ` Borislav Petkov
  2020-02-14 15:17   ` Greg KH
  2020-02-15 13:34 ` [tip: ras/urgent] " tip-bot2 for Thomas Gleixner
  1 sibling, 1 reply; 8+ messages in thread
From: Borislav Petkov @ 2020-02-14  8:32 UTC (permalink / raw)
  To: stable; +Cc: X86 ML, Yazen Ghannam, LKML

On Fri, Feb 14, 2020 at 09:28:01AM +0100, Borislav Petkov wrote:
> From: Thomas Gleixner <tglx@linutronix.de>
> 
> Accessing the MCA thresholding controls in sysfs concurrently with CPU
> hotplug can lead to a couple of KASAN-reported issues:
> 
>   BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
>   Read of size 8 at addr ffff888367578940 by task grep/4019
> 
> and
> 
>   BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
>   Read of size 2 at addr ffff888368a05514 by task grep/4454
> 
> for example. Both result from the fact that the threshold block
> creation/teardown code frees the descriptor memory itself instead of
> defining proper ->release function and leaving it to the driver core to
> take care of that, after all sysfs accesses have completed.
> 
> Do that and get rid of the custom freeing code, fixing the above UAFs in
> the process.
> 
>   [ bp: write commit message. ]
> 
> Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: Borislav Petkov <bp@suse.de>
> Cc: <stable@vger.kernel.org>

Damn git-send-email: it read out Cc: stable and added it to the Cc list.
I've added

suppresscc = bodycc

to my .gitconfig.

Sorry stable guys.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86/mce/amd: Fix kobject lifetime
  2020-02-14  8:32 ` Borislav Petkov
@ 2020-02-14 15:17   ` Greg KH
  2020-02-14 20:11     ` Borislav Petkov
  0 siblings, 1 reply; 8+ messages in thread
From: Greg KH @ 2020-02-14 15:17 UTC (permalink / raw)
  To: Borislav Petkov; +Cc: stable, X86 ML, Yazen Ghannam, LKML

On Fri, Feb 14, 2020 at 09:32:30AM +0100, Borislav Petkov wrote:
> On Fri, Feb 14, 2020 at 09:28:01AM +0100, Borislav Petkov wrote:
> > From: Thomas Gleixner <tglx@linutronix.de>
> > 
> > Accessing the MCA thresholding controls in sysfs concurrently with CPU
> > hotplug can lead to a couple of KASAN-reported issues:
> > 
> >   BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
> >   Read of size 8 at addr ffff888367578940 by task grep/4019
> > 
> > and
> > 
> >   BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
> >   Read of size 2 at addr ffff888368a05514 by task grep/4454
> > 
> > for example. Both result from the fact that the threshold block
> > creation/teardown code frees the descriptor memory itself instead of
> > defining proper ->release function and leaving it to the driver core to
> > take care of that, after all sysfs accesses have completed.
> > 
> > Do that and get rid of the custom freeing code, fixing the above UAFs in
> > the process.
> > 
> >   [ bp: write commit message. ]
> > 
> > Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
> > Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> > Signed-off-by: Borislav Petkov <bp@suse.de>
> > Cc: <stable@vger.kernel.org>
> 
> Damn git-send-email: it read out Cc: stable and added it to the Cc list.
> I've added
> 
> suppresscc = bodycc
> 
> to my .gitconfig.
> 
> Sorry stable guys.

Does not bother me at all, it's fine to see stuff come by that will end
up in future trees, it's not noise at all.  So no need to suppress
stable@vger if you don't want to.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86/mce/amd: Fix kobject lifetime
  2020-02-14 15:17   ` Greg KH
@ 2020-02-14 20:11     ` Borislav Petkov
  2020-02-14 20:26       ` Thomas Gleixner
  0 siblings, 1 reply; 8+ messages in thread
From: Borislav Petkov @ 2020-02-14 20:11 UTC (permalink / raw)
  To: Greg KH; +Cc: stable, X86 ML, Yazen Ghannam, LKML

On Fri, Feb 14, 2020 at 07:17:27AM -0800, Greg KH wrote:
> Does not bother me at all, it's fine to see stuff come by that will end
> up in future trees, it's not noise at all.  So no need to suppress
> stable@vger if you don't want to.

Ok, but what about your formletter which you send to people explaining
this is not how you should send a patch to stable?

Like this, for example:

https://lkml.kernel.org/r/20200116100925.GA157179@kroah.com

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86/mce/amd: Fix kobject lifetime
  2020-02-14 20:11     ` Borislav Petkov
@ 2020-02-14 20:26       ` Thomas Gleixner
  2020-02-14 20:36         ` Borislav Petkov
  2020-02-14 20:41         ` Greg KH
  0 siblings, 2 replies; 8+ messages in thread
From: Thomas Gleixner @ 2020-02-14 20:26 UTC (permalink / raw)
  To: Borislav Petkov, Greg KH; +Cc: stable, X86 ML, Yazen Ghannam, LKML

Borislav Petkov <bp@alien8.de> writes:

> On Fri, Feb 14, 2020 at 07:17:27AM -0800, Greg KH wrote:
>> Does not bother me at all, it's fine to see stuff come by that will end
>> up in future trees, it's not noise at all.  So no need to suppress
>> stable@vger if you don't want to.
>
> Ok, but what about your formletter which you send to people explaining
> this is not how you should send a patch to stable?
>
> Like this, for example:
>
> https://lkml.kernel.org/r/20200116100925.GA157179@kroah.com

This once Cc'ed stable but lacked a Cc: stable tag in the changelog.

Thanks,

        tglx

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86/mce/amd: Fix kobject lifetime
  2020-02-14 20:26       ` Thomas Gleixner
@ 2020-02-14 20:36         ` Borislav Petkov
  2020-02-14 20:41         ` Greg KH
  1 sibling, 0 replies; 8+ messages in thread
From: Borislav Petkov @ 2020-02-14 20:36 UTC (permalink / raw)
  To: Thomas Gleixner; +Cc: Greg KH, stable, X86 ML, Yazen Ghannam, LKML

On Fri, Feb 14, 2020 at 09:26:31PM +0100, Thomas Gleixner wrote:
> This once Cc'ed stable but lacked a Cc: stable tag in the changelog.

So that's the difference. Ok, I'm fine with that.

/me removes "suppresscc = bodycc" from his .gitconfig again.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] x86/mce/amd: Fix kobject lifetime
  2020-02-14 20:26       ` Thomas Gleixner
  2020-02-14 20:36         ` Borislav Petkov
@ 2020-02-14 20:41         ` Greg KH
  1 sibling, 0 replies; 8+ messages in thread
From: Greg KH @ 2020-02-14 20:41 UTC (permalink / raw)
  To: Thomas Gleixner; +Cc: Borislav Petkov, stable, X86 ML, Yazen Ghannam, LKML

On Fri, Feb 14, 2020 at 09:26:31PM +0100, Thomas Gleixner wrote:
> Borislav Petkov <bp@alien8.de> writes:
> 
> > On Fri, Feb 14, 2020 at 07:17:27AM -0800, Greg KH wrote:
> >> Does not bother me at all, it's fine to see stuff come by that will end
> >> up in future trees, it's not noise at all.  So no need to suppress
> >> stable@vger if you don't want to.
> >
> > Ok, but what about your formletter which you send to people explaining
> > this is not how you should send a patch to stable?
> >
> > Like this, for example:
> >
> > https://lkml.kernel.org/r/20200116100925.GA157179@kroah.com
> 
> This once Cc'ed stable but lacked a Cc: stable tag in the changelog.

Exactly :)

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [tip: ras/urgent] x86/mce/amd: Fix kobject lifetime
  2020-02-14  8:28 [PATCH] x86/mce/amd: Fix kobject lifetime Borislav Petkov
  2020-02-14  8:32 ` Borislav Petkov
@ 2020-02-15 13:34 ` " tip-bot2 for Thomas Gleixner
  1 sibling, 0 replies; 8+ messages in thread
From: tip-bot2 for Thomas Gleixner @ 2020-02-15 13:34 UTC (permalink / raw)
  To: linux-tip-commits; +Cc: Thomas Gleixner, Borislav Petkov, stable, x86, LKML

The following commit has been merged into the ras/urgent branch of tip:

Commit-ID:     51dede9c05df2b78acd6dcf6a17d21f0877d2d7b
Gitweb:        https://git.kernel.org/tip/51dede9c05df2b78acd6dcf6a17d21f0877d2d7b
Author:        Thomas Gleixner <tglx@linutronix.de>
AuthorDate:    Thu, 13 Feb 2020 19:01:34 +01:00
Committer:     Borislav Petkov <bp@suse.de>
CommitterDate: Fri, 14 Feb 2020 09:28:31 +01:00

x86/mce/amd: Fix kobject lifetime

Accessing the MCA thresholding controls in sysfs concurrently with CPU
hotplug can lead to a couple of KASAN-reported issues:

  BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
  Read of size 8 at addr ffff888367578940 by task grep/4019

and

  BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
  Read of size 2 at addr ffff888368a05514 by task grep/4454

for example. Both result from the fact that the threshold block
creation/teardown code frees the descriptor memory itself instead of
defining proper ->release function and leaving it to the driver core to
take care of that, after all sysfs accesses have completed.

Do that and get rid of the custom freeing code, fixing the above UAFs in
the process.

  [ bp: write commit message. ]

Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de
---
 arch/x86/kernel/cpu/mce/amd.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c
index e7313e5..52de616 100644
--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -1163,9 +1163,12 @@ static const struct sysfs_ops threshold_ops = {
 	.store			= store,
 };
 
+static void threshold_block_release(struct kobject *kobj);
+
 static struct kobj_type threshold_ktype = {
 	.sysfs_ops		= &threshold_ops,
 	.default_attrs		= default_attrs,
+	.release		= threshold_block_release,
 };
 
 static const char *get_name(unsigned int bank, struct threshold_block *b)
@@ -1367,8 +1370,12 @@ static int threshold_create_bank(unsigned int cpu, unsigned int bank)
 	return err;
 }
 
-static void deallocate_threshold_block(unsigned int cpu,
-						 unsigned int bank)
+static void threshold_block_release(struct kobject *kobj)
+{
+	kfree(to_block(kobj));
+}
+
+static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
 {
 	struct threshold_block *pos = NULL;
 	struct threshold_block *tmp = NULL;
@@ -1378,13 +1385,11 @@ static void deallocate_threshold_block(unsigned int cpu,
 		return;
 
 	list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
-		kobject_put(&pos->kobj);
 		list_del(&pos->miscj);
-		kfree(pos);
+		kobject_put(&pos->kobj);
 	}
 
-	kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
-	per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
+	kobject_put(&head->blocks->kobj);
 }
 
 static void __threshold_remove_blocks(struct threshold_bank *b)

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-14  8:28 [PATCH] x86/mce/amd: Fix kobject lifetime Borislav Petkov
2020-02-14  8:32 ` Borislav Petkov
2020-02-14 15:17   ` Greg KH
2020-02-14 20:11     ` Borislav Petkov
2020-02-14 20:26       ` Thomas Gleixner
2020-02-14 20:36         ` Borislav Petkov
2020-02-14 20:41         ` Greg KH
2020-02-15 13:34 ` [tip: ras/urgent] " tip-bot2 for Thomas Gleixner

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org
	public-inbox-index stable

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git