From: Oded Gabbay <ogabbay@kernel.org>
To: linux-kernel@vger.kernel.org
Cc: Dani Liberman <dliberman@habana.ai>
Subject: [PATCH 02/30] habanalabs: fix race when waiting on encaps signal
Date: Sat, 22 Jan 2022 21:57:03 +0200 [thread overview]
Message-ID: <20220122195731.934494-2-ogabbay@kernel.org> (raw)
In-Reply-To: <20220122195731.934494-1-ogabbay@kernel.org>
From: Dani Liberman <dliberman@habana.ai>
Scenario:
1. CS which is part of encaps signal has been completed and now
executing kref_put to its encaps signal handle. The refcount of the
handle decremented to 0, and called the encaps signal handle
release function - hl_encaps_handle_do_release.
2. At this point the user starts waiting on the signal, and finds the
encaps signal handle in the handlers list and increment the habdle
refcount to 1.
3. Immediately after, hl_encaps_handle_do_release removed the handle
from the list and free its memory.
4. Wait function using the handle although it has been freed.
This scenario caused the slab area which was previously allocated
for the handle to be poison overwritten which triggered kernel bug
the next time the OS needed to allocate this slab.
Fixed by getting the refcount of the handle and validate it only if
the refcount was not zero before.
Signed-off-by: Dani Liberman <dliberman@habana.ai>
Reviewed-by: Oded Gabbay <ogabbay@kernel.org>
Signed-off-by: Oded Gabbay <ogabbay@kernel.org>
---
drivers/misc/habanalabs/common/command_submission.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/habanalabs/common/command_submission.c b/drivers/misc/habanalabs/common/command_submission.c
index 2f40b937c59f..96ec1fd3882a 100644
--- a/drivers/misc/habanalabs/common/command_submission.c
+++ b/drivers/misc/habanalabs/common/command_submission.c
@@ -2063,13 +2063,22 @@ static int cs_ioctl_signal_wait(struct hl_fpriv *hpriv, enum hl_cs_type cs_type,
idp = &ctx->sig_mgr.handles;
idr_for_each_entry(idp, encaps_sig_hdl, id) {
if (encaps_sig_hdl->cs_seq == signal_seq) {
- handle_found = true;
/* get refcount to protect removing
* this handle from idr, needed when
* multiple wait cs are used with offset
* to wait on reserved encaps signals.
*/
kref_get(&encaps_sig_hdl->refcount);
+ /*
+ * Since kref_put of this handle is executed outside the
+ * current lock, it is possible that the handle refcount
+ * is 0 but it yet to be removed from the list. In this case
+ * need to consider the handle as not valid. To ensure
+ * that the handle is valid, its refcount must be bigger
+ * than 1.
+ */
+ if (kref_read(&encaps_sig_hdl->refcount) > 1)
+ handle_found = true;
break;
}
}
--
2.25.1
next prev parent reply other threads:[~2022-01-22 19:57 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-22 19:57 [PATCH 01/30] habanalabs: check the return value of hl_cs_poll_fences() Oded Gabbay
2022-01-22 19:57 ` Oded Gabbay [this message]
2022-01-22 19:57 ` [PATCH 03/30] habanalabs: fix possible memory leak in MMU DR fini Oded Gabbay
2022-01-22 19:57 ` [PATCH 04/30] habanalabs/gaudi: disable CGM permanently Oded Gabbay
2022-01-22 19:57 ` [PATCH 05/30] habanalabs: remove ASIC functions of clock gating Oded Gabbay
2022-01-22 19:57 ` [PATCH 06/30] habanalabs: make some MMU functions common Oded Gabbay
2022-01-22 19:57 ` [PATCH 07/30] habanalabs: sysfs functions should be in sysfs.c Oded Gabbay
2022-01-22 19:57 ` [PATCH 08/30] habanalabs: get clk is common function Oded Gabbay
2022-01-22 19:57 ` [PATCH 09/30] habanalabs: remove hwmgr.c Oded Gabbay
2022-01-22 19:57 ` [PATCH 10/30] habanalabs: move more f/w functions to firmware_if.c Oded Gabbay
2022-01-22 19:57 ` [PATCH 11/30] habanalabs: remove asic callback set_pll_profile() Oded Gabbay
2022-01-22 19:57 ` [PATCH 12/30] habanalabs: rename dev_attr_grp to dev_clk_attr_grp Oded Gabbay
2022-01-22 19:57 ` [PATCH 13/30] habanalabs: add vrm version to sysfs Oded Gabbay
2022-01-22 19:57 ` [PATCH 14/30] habanalabs: remove power9 workaround for dma support Oded Gabbay
2022-01-22 19:57 ` [PATCH 15/30] habanalabs: use common wrapper for MMU cache invalidation Oded Gabbay
2022-01-22 19:57 ` [PATCH 16/30] habanalabs: sysfs support for fw os version Oded Gabbay
2022-01-22 19:57 ` [PATCH 17/30] habanalabs: there is no kernel TDR in future ASICs Oded Gabbay
2022-01-22 19:57 ` [PATCH 18/30] habanalabs: duplicate HOP table props to MMU props Oded Gabbay
2022-01-22 19:57 ` [PATCH 19/30] habanalabs: don't free phys_pg_pack inside lock Oded Gabbay
2022-01-22 19:57 ` [PATCH 20/30] habanalabs: avoid copying pll data if pll_info_get fails Oded Gabbay
2022-01-22 19:57 ` [PATCH 21/30] habanalabs: add missing error check in sysfs clk_freq_mhz_show Oded Gabbay
2022-01-22 19:57 ` [PATCH 22/30] habanalabs: fix soft reset flow in case of failure Oded Gabbay
2022-01-22 19:57 ` [PATCH 23/30] habanalabs: add missing error check in sysfs max_power_show Oded Gabbay
2022-01-22 19:57 ` [PATCH 24/30] habanalabs: update to latest f/w specs Oded Gabbay
2022-01-22 19:57 ` [PATCH 25/30] habanalabs: expose number of user interrupts Oded Gabbay
2022-01-22 19:57 ` [PATCH 26/30] habanalabs: reject host map with mmu disabled Oded Gabbay
2022-01-22 19:57 ` [PATCH 27/30] habanalabs: fix user interrupt wait when timeout is 0 Oded Gabbay
2022-01-22 19:57 ` [PATCH 28/30] habanalabs: fix race between wait and irq Oded Gabbay
2022-01-22 19:57 ` [PATCH 29/30] habanalabs: prevent false heartbeat failure during soft-reset Oded Gabbay
2022-01-22 19:57 ` [PATCH 30/30] habanalabs: remove duplicate print Oded Gabbay
[not found] ` <20220123002722.3057-1-hdanton@sina.com>
2022-01-24 18:22 ` [PATCH 02/30] habanalabs: fix race when waiting on encaps signal Dani Liberman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220122195731.934494-2-ogabbay@kernel.org \
--to=ogabbay@kernel.org \
--cc=dliberman@habana.ai \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.