From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Daniel Jordan <daniel.m.jordan@oracle.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
linux-crypto@vger.kernel.org,
Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 4.19 16/16] padata: add separate cpuhp node for CPUHP_PADATA_DEAD
Date: Fri, 6 Aug 2021 10:15:07 +0200 [thread overview]
Message-ID: <20210806081111.662287213@linuxfoundation.org> (raw)
In-Reply-To: <20210806081111.144943357@linuxfoundation.org>
From: Daniel Jordan <daniel.m.jordan@oracle.com>
commit 3c2214b6027ff37945799de717c417212e1a8c54 upstream.
Removing the pcrypt module triggers this:
general protection fault, probably for non-canonical
address 0xdead000000000122
CPU: 5 PID: 264 Comm: modprobe Not tainted 5.6.0+ #2
Hardware name: QEMU Standard PC
RIP: 0010:__cpuhp_state_remove_instance+0xcc/0x120
Call Trace:
padata_sysfs_release+0x74/0xce
kobject_put+0x81/0xd0
padata_free+0x12/0x20
pcrypt_exit+0x43/0x8ee [pcrypt]
padata instances wrongly use the same hlist node for the online and dead
states, so __padata_free()'s second cpuhp remove call chokes on the node
that the first poisoned.
cpuhp multi-instance callbacks only walk forward in cpuhp_step->list and
the same node is linked in both the online and dead lists, so the list
corruption that results from padata_alloc() adding the node to a second
list without removing it from the first doesn't cause problems as long
as no instances are freed.
Avoid the issue by giving each state its own node.
Fixes: 894c9ef9780c ("padata: validate cpumask without removed CPU during offline")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # v5.4+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/padata.h | 6 ++++--
kernel/padata.c | 14 ++++++++------
2 files changed, 12 insertions(+), 8 deletions(-)
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -138,7 +138,8 @@ struct parallel_data {
/**
* struct padata_instance - The overall control structure.
*
- * @cpu_notifier: cpu hotplug notifier.
+ * @cpu_online_node: Linkage for CPU online callback.
+ * @cpu_dead_node: Linkage for CPU offline callback.
* @wq: The workqueue in use.
* @pd: The internal control structure.
* @cpumask: User supplied cpumasks for parallel and serial works.
@@ -150,7 +151,8 @@ struct parallel_data {
* @flags: padata flags.
*/
struct padata_instance {
- struct hlist_node node;
+ struct hlist_node cpu_online_node;
+ struct hlist_node cpu_dead_node;
struct workqueue_struct *wq;
struct parallel_data *pd;
struct padata_cpumask cpumask;
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -748,7 +748,7 @@ static int padata_cpu_online(unsigned in
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpu_online_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
@@ -763,7 +763,7 @@ static int padata_cpu_dead(unsigned int
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpu_dead_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
@@ -779,8 +779,9 @@ static enum cpuhp_state hp_online;
static void __padata_free(struct padata_instance *pinst)
{
#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD, &pinst->node);
- cpuhp_state_remove_instance_nocalls(hp_online, &pinst->node);
+ cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD,
+ &pinst->cpu_dead_node);
+ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpu_online_node);
#endif
padata_stop(pinst);
@@ -964,9 +965,10 @@ static struct padata_instance *padata_al
mutex_init(&pinst->lock);
#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_state_add_instance_nocalls_cpuslocked(hp_online, &pinst->node);
+ cpuhp_state_add_instance_nocalls_cpuslocked(hp_online,
+ &pinst->cpu_online_node);
cpuhp_state_add_instance_nocalls_cpuslocked(CPUHP_PADATA_DEAD,
- &pinst->node);
+ &pinst->cpu_dead_node);
#endif
return pinst;
next prev parent reply other threads:[~2021-08-06 8:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 8:14 [PATCH 4.19 00/16] 4.19.202-rc1 review Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 01/16] btrfs: mark compressed range uptodate only if all bio succeed Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 02/16] regulator: rt5033: Fix n_voltages settings for BUCK and LDO Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 03/16] ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 04/16] r8152: Fix potential PM refcount imbalance Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 05/16] qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union() Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 06/16] net: Fix zero-copy head len calculation Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 07/16] bdi: move bdi_dev_name out of line Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 08/16] bdi: use bdi_dev_name() to get device name Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 09/16] bdi: add a ->dev_name field to struct backing_dev_info Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 10/16] Revert "spi: mediatek: fix fifo rx mode" Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 11/16] Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled" Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 12/16] drm/i915: Ensure intel_engine_init_execlist() builds with Clang Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 13/16] firmware: arm_scmi: Ensure drivers provide a probe function Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 14/16] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 15/16] padata: validate cpumask without removed CPU during offline Greg Kroah-Hartman
2021-08-06 8:15 ` Greg Kroah-Hartman [this message]
2021-08-06 12:31 ` [PATCH 4.19 00/16] 4.19.202-rc1 review Pavel Machek
2021-08-06 14:33 ` Jon Hunter
2021-08-06 18:58 ` Guenter Roeck
2021-08-07 10:42 ` Sudip Mukherjee
2021-08-07 18:44 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210806081111.662287213@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel.m.jordan@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.