From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Borislav Petkov <bp@suse.de>, Sasha Levin <sashal@kernel.org>,
linux-edac@vger.kernel.org
Subject: [PATCH AUTOSEL 5.8 11/20] EDAC/ghes: Check whether the driver is on the safe list correctly
Date: Mon, 21 Sep 2020 10:40:18 -0400 [thread overview]
Message-ID: <20200921144027.2135390-11-sashal@kernel.org> (raw)
In-Reply-To: <20200921144027.2135390-1-sashal@kernel.org>
From: Borislav Petkov <bp@suse.de>
[ Upstream commit 251c54ea26fa6029b01a76161a37a12fde5124e4 ]
With CONFIG_DEBUG_TEST_DRIVER_REMOVE=y, a system would try to probe,
unregister and probe again a driver.
When ghes_edac is attempted to be loaded on a system which is not on
the safe platforms list, ghes_edac_register() would return early. The
unregister counterpart ghes_edac_unregister() would still attempt to
unregister and exit early at the refcount test, leading to the refcount
underflow below.
In order to not do *anything* on the unregister path too, reuse the
force_load parameter and check it on that path too, before fumbling with
the refcount.
ghes_edac: ghes_edac_register: entry
ghes_edac: ghes_edac_register: return -ENODEV
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 10 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0xb9/0x100
Modules linked in:
CPU: 10 PID: 1 Comm: swapper/0 Not tainted 5.9.0-rc4+ #12
Hardware name: GIGABYTE MZ01-CE1-00/MZ01-CE1-00, BIOS F02 08/29/2018
RIP: 0010:refcount_warn_saturate+0xb9/0x100
Code: 82 e8 fb 8f 4d 00 90 0f 0b 90 90 c3 80 3d 55 4c f5 00 00 75 88 c6 05 4c 4c f5 00 01 90 48 c7 c7 d0 8a 10 82 e8 d8 8f 4d 00 90 <0f> 0b 90 90 c3 80 3d 30 4c f5 00 00 0f 85 61 ff ff ff c6 05 23 4c
RSP: 0018:ffffc90000037d58 EFLAGS: 00010292
RAX: 0000000000000026 RBX: ffff88840b8da000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff8216b24f RDI: 00000000ffffffff
RBP: ffff88840c662e00 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000046 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88840ee80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000800002211000 CR4: 00000000003506e0
Call Trace:
ghes_edac_unregister
ghes_remove
platform_drv_remove
really_probe
driver_probe_device
device_driver_attach
__driver_attach
? device_driver_attach
? device_driver_attach
bus_for_each_dev
bus_add_driver
driver_register
? bert_init
ghes_init
do_one_initcall
? rcu_read_lock_sched_held
kernel_init_freeable
? rest_init
kernel_init
ret_from_fork
...
ghes_edac: ghes_edac_unregister: FALSE, refcount: -1073741824
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20200911164950.GB19320@zn.tnic
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/ghes_edac.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/edac/ghes_edac.c b/drivers/edac/ghes_edac.c
index cb3dab56a875d..efad23575b16b 100644
--- a/drivers/edac/ghes_edac.c
+++ b/drivers/edac/ghes_edac.c
@@ -469,6 +469,7 @@ int ghes_edac_register(struct ghes *ghes, struct device *dev)
if (!force_load && idx < 0)
return -ENODEV;
} else {
+ force_load = true;
idx = 0;
}
@@ -566,6 +567,9 @@ void ghes_edac_unregister(struct ghes *ghes)
struct mem_ctl_info *mci;
unsigned long flags;
+ if (!force_load)
+ return;
+
mutex_lock(&ghes_reg_mutex);
if (!refcount_dec_and_test(&ghes_refcount))
--
2.25.1
next prev parent reply other threads:[~2020-09-21 14:43 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 14:40 [PATCH AUTOSEL 5.8 01/20] device_cgroup: Fix RCU list debugging warning Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 02/20] ASoC: pcm3168a: ignore 0 Hz settings Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 03/20] ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 15:07 ` Mark Brown
2020-09-21 15:07 ` Mark Brown
2020-09-22 14:25 ` Sasha Levin
2020-09-22 14:25 ` Sasha Levin
2020-09-22 14:42 ` Mark Brown
2020-09-22 14:42 ` Mark Brown
2020-09-22 17:46 ` Sasha Levin
2020-09-22 17:46 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 04/20] ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 05/20] ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 06/20] clk: versatile: Add of_node_put() before return statement Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 07/20] RISC-V: Take text_mutex in ftrace_init_nop() Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 08/20] i2c: aspeed: Mask IRQ status to relevant bits Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 09/20] s390/init: add missing __init annotations Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 10/20] lockdep: fix order in trace_hardirqs_off_caller() Sasha Levin
2020-09-21 14:40 ` Sasha Levin [this message]
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 12/20] drm/amdkfd: fix a memory leak issue Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 13/20] drm/amd/display: Don't use DRM_ERROR() for DTM add topology Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 14/20] drm/amd/display: update nv1x stutter latencies Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 15/20] drm/amdgpu/dc: Require primary plane to be enabled whenever the CRTC is Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 16/20] drm/amd/display: Don't log hdcp module warnings in dmesg Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 17/20] i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() Sasha Levin
2020-10-14 11:09 ` Kieran Bingham
2020-10-14 11:23 ` Hans de Goede
2020-10-14 11:52 ` Kieran Bingham
2020-10-14 13:46 ` Hans de Goede
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 18/20] objtool: Fix noreturn detection for ignored functions Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 19/20] i2c: mediatek: Send i2c master code at more than 1MHz Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-21 14:40 ` [PATCH AUTOSEL 5.8 20/20] riscv: Fix Kendryte K210 device tree Sasha Levin
2020-09-21 14:40 ` Sasha Levin
2020-09-23 0:27 ` Damien Le Moal
2020-09-23 0:27 ` Damien Le Moal
2020-09-26 19:42 ` Palmer Dabbelt
2020-09-26 19:42 ` Palmer Dabbelt
2020-09-26 20:51 ` Sasha Levin
2020-09-26 20:51 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200921144027.2135390-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bp@suse.de \
--cc=linux-edac@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.