Skip to content

Commit

Permalink
x86/mce/amd: Fix kobject lifetime
Browse files Browse the repository at this point in the history
commit 51dede9 upstream.

Accessing the MCA thresholding controls in sysfs concurrently with CPU
hotplug can lead to a couple of KASAN-reported issues:

  BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
  Read of size 8 at addr ffff888367578940 by task grep/4019

and

  BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
  Read of size 2 at addr ffff888368a05514 by task grep/4454

for example. Both result from the fact that the threshold block
creation/teardown code frees the descriptor memory itself instead of
defining proper ->release function and leaving it to the driver core to
take care of that, after all sysfs accesses have completed.

Do that and get rid of the custom freeing code, fixing the above UAFs in
the process.

  [ bp: write commit message. ]

Fixes: 9526866 ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
KAGA-KOKO authored and gregkh committed Feb 28, 2020
1 parent de2cce5 commit 88e4901
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions arch/x86/kernel/cpu/mce/amd.c
Original file line number Diff line number Diff line change
Expand Up @@ -1161,9 +1161,12 @@ static const struct sysfs_ops threshold_ops = {
.store = store,
};

static void threshold_block_release(struct kobject *kobj);

static struct kobj_type threshold_ktype = {
.sysfs_ops = &threshold_ops,
.default_attrs = default_attrs,
.release = threshold_block_release,
};

static const char *get_name(unsigned int bank, struct threshold_block *b)
Expand Down Expand Up @@ -1365,8 +1368,12 @@ static int threshold_create_bank(unsigned int cpu, unsigned int bank)
return err;
}

static void deallocate_threshold_block(unsigned int cpu,
unsigned int bank)
static void threshold_block_release(struct kobject *kobj)
{
kfree(to_block(kobj));
}

static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
{
struct threshold_block *pos = NULL;
struct threshold_block *tmp = NULL;
Expand All @@ -1376,13 +1383,11 @@ static void deallocate_threshold_block(unsigned int cpu,
return;

list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
kobject_put(&pos->kobj);
list_del(&pos->miscj);
kfree(pos);
kobject_put(&pos->kobj);
}

kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
kobject_put(&head->blocks->kobj);
}

static void __threshold_remove_blocks(struct threshold_bank *b)
Expand Down

0 comments on commit 88e4901

Please sign in to comment.