From patchwork Thu Feb 27 13:36:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 230116 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67D9CC35677 for ; Thu, 27 Feb 2020 14:47:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3F22F24656 for ; Thu, 27 Feb 2020 14:47:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582814860; bh=QA3jeg9gW/R8f7Sgn3etd/gjp/5Lbr+aIijXiYDZ0Yc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=W/NfnOQGUE8yuBmgPsIITk7/mvQ0jknO+/e/Uwun4d2BHc/t2SXU6zj2N00gm/zMd xghI4Nv4ffeO8sDjipDZSDJ10RqkavdkAaaK2fIgnCLm19HunlxUJhhWXvCuGuokxt NQQX77yZNcJsM8CaB4Mv0XOBNjab3VRO4B6m3wlA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729193AbgB0Org (ORCPT ); Thu, 27 Feb 2020 09:47:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:39448 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729591AbgB0NoD (ORCPT ); Thu, 27 Feb 2020 08:44:03 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3E50320726; Thu, 27 Feb 2020 13:44:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582811042; bh=QA3jeg9gW/R8f7Sgn3etd/gjp/5Lbr+aIijXiYDZ0Yc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KfuPhHmoPtgr3+cEspurKPrQ/Vo63cqKgxWMoQ8ZmytJN5kC1TMq1spbxqvp6BphL Wxo3CrKU7te8XRths7jL4LVqLJf+rKzmEc1J+kjPVk+GULMAc2bYqCy7wbpEYSOv6T f6hAu9BrSy4Gp5BkGQvEIHadk0PUHXT0TXOx9zOU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thomas Gleixner , Borislav Petkov Subject: [PATCH 4.4 093/113] x86/mce/amd: Fix kobject lifetime Date: Thu, 27 Feb 2020 14:36:49 +0100 Message-Id: <20200227132226.622931292@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200227132211.791484803@linuxfoundation.org> References: <20200227132211.791484803@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Thomas Gleixner commit 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b upstream. Accessing the MCA thresholding controls in sysfs concurrently with CPU hotplug can lead to a couple of KASAN-reported issues: BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180 Read of size 8 at addr ffff888367578940 by task grep/4019 and BUG: KASAN: use-after-free in show_error_count+0x15c/0x180 Read of size 2 at addr ffff888368a05514 by task grep/4454 for example. Both result from the fact that the threshold block creation/teardown code frees the descriptor memory itself instead of defining proper ->release function and leaving it to the driver core to take care of that, after all sysfs accesses have completed. Do that and get rid of the custom freeing code, fixing the above UAFs in the process. [ bp: write commit message. ] Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors") Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Cc: Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/cpu/mcheck/mce_amd.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) --- a/arch/x86/kernel/cpu/mcheck/mce_amd.c +++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c @@ -560,9 +560,12 @@ static const struct sysfs_ops threshold_ .store = store, }; +static void threshold_block_release(struct kobject *kobj); + static struct kobj_type threshold_ktype = { .sysfs_ops = &threshold_ops, .default_attrs = default_attrs, + .release = threshold_block_release, }; static int allocate_threshold_blocks(unsigned int cpu, unsigned int bank, @@ -765,8 +768,12 @@ static int threshold_create_device(unsig return err; } -static void deallocate_threshold_block(unsigned int cpu, - unsigned int bank) +static void threshold_block_release(struct kobject *kobj) +{ + kfree(to_block(kobj)); +} + +static void deallocate_threshold_block(unsigned int cpu, unsigned int bank) { struct threshold_block *pos = NULL; struct threshold_block *tmp = NULL; @@ -776,13 +783,11 @@ static void deallocate_threshold_block(u return; list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) { - kobject_put(&pos->kobj); list_del(&pos->miscj); - kfree(pos); + kobject_put(&pos->kobj); } - kfree(per_cpu(threshold_banks, cpu)[bank]->blocks); - per_cpu(threshold_banks, cpu)[bank]->blocks = NULL; + kobject_put(&head->blocks->kobj); } static void __threshold_remove_blocks(struct threshold_bank *b)