From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nadav Amit <namit@vmware.com>,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
stable@kernel.org
Subject: [PATCH 5.10 51/52] x86/alternative: Fix race in try_get_desc()
Date: Mon, 3 Oct 2022 09:11:58 +0200 [thread overview]
Message-ID: <20221003070720.238567508@linuxfoundation.org> (raw)
In-Reply-To: <20221003070718.687440096@linuxfoundation.org>
From: Nadav Amit <namit@vmware.com>
commit efd608fa7403ba106412b437f873929e2c862e28 upstream.
I encountered some occasional crashes of poke_int3_handler() when
kprobes are set, while accessing desc->vec.
The text poke mechanism claims to have an RCU-like behavior, but it
does not appear that there is any quiescent state to ensure that
nobody holds reference to desc. As a result, the following race
appears to be possible, which can lead to memory corruption.
CPU0 CPU1
---- ----
text_poke_bp_batch()
-> smp_store_release(&bp_desc, &desc)
[ notice that desc is on
the stack ]
poke_int3_handler()
[ int3 might be kprobe's
so sync events are do not
help ]
-> try_get_desc(descp=&bp_desc)
desc = __READ_ONCE(bp_desc)
if (!desc) [false, success]
WRITE_ONCE(bp_desc, NULL);
atomic_dec_and_test(&desc.refs)
[ success, desc space on the stack
is being reused and might have
non-zero value. ]
arch_atomic_inc_not_zero(&desc->refs)
[ might succeed since desc points to
stack memory that was freed and might
be reused. ]
Fix this issue with small backportable patch. Instead of trying to
make RCU-like behavior for bp_desc, just eliminate the unnecessary
level of indirection of bp_desc, and hold the whole descriptor as a
global. Anyhow, there is only a single descriptor at any given
moment.
Fixes: 1f676247f36a4 ("x86/alternatives: Implement a better poke_int3_handler() completion scheme")
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@kernel.org
Link: https://lkml.kernel.org/r/20220920224743.3089-1-namit@vmware.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/alternative.c | 45 +++++++++++++++++++++---------------------
1 file changed, 23 insertions(+), 22 deletions(-)
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1330,22 +1330,23 @@ struct bp_patching_desc {
atomic_t refs;
};
-static struct bp_patching_desc *bp_desc;
+static struct bp_patching_desc bp_desc;
static __always_inline
-struct bp_patching_desc *try_get_desc(struct bp_patching_desc **descp)
+struct bp_patching_desc *try_get_desc(void)
{
- /* rcu_dereference */
- struct bp_patching_desc *desc = __READ_ONCE(*descp);
+ struct bp_patching_desc *desc = &bp_desc;
- if (!desc || !arch_atomic_inc_not_zero(&desc->refs))
+ if (!arch_atomic_inc_not_zero(&desc->refs))
return NULL;
return desc;
}
-static __always_inline void put_desc(struct bp_patching_desc *desc)
+static __always_inline void put_desc(void)
{
+ struct bp_patching_desc *desc = &bp_desc;
+
smp_mb__before_atomic();
arch_atomic_dec(&desc->refs);
}
@@ -1378,15 +1379,15 @@ noinstr int poke_int3_handler(struct pt_
/*
* Having observed our INT3 instruction, we now must observe
- * bp_desc:
+ * bp_desc with non-zero refcount:
*
- * bp_desc = desc INT3
+ * bp_desc.refs = 1 INT3
* WMB RMB
- * write INT3 if (desc)
+ * write INT3 if (bp_desc.refs != 0)
*/
smp_rmb();
- desc = try_get_desc(&bp_desc);
+ desc = try_get_desc();
if (!desc)
return 0;
@@ -1440,7 +1441,7 @@ noinstr int poke_int3_handler(struct pt_
ret = 1;
out_put:
- put_desc(desc);
+ put_desc();
return ret;
}
@@ -1471,18 +1472,20 @@ static int tp_vec_nr;
*/
static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries)
{
- struct bp_patching_desc desc = {
- .vec = tp,
- .nr_entries = nr_entries,
- .refs = ATOMIC_INIT(1),
- };
unsigned char int3 = INT3_INSN_OPCODE;
unsigned int i;
int do_sync;
lockdep_assert_held(&text_mutex);
- smp_store_release(&bp_desc, &desc); /* rcu_assign_pointer */
+ bp_desc.vec = tp;
+ bp_desc.nr_entries = nr_entries;
+
+ /*
+ * Corresponds to the implicit memory barrier in try_get_desc() to
+ * ensure reading a non-zero refcount provides up to date bp_desc data.
+ */
+ atomic_set_release(&bp_desc.refs, 1);
/*
* Corresponding read barrier in int3 notifier for making sure the
@@ -1570,12 +1573,10 @@ static void text_poke_bp_batch(struct te
text_poke_sync();
/*
- * Remove and synchronize_rcu(), except we have a very primitive
- * refcount based completion.
+ * Remove and wait for refs to be zero.
*/
- WRITE_ONCE(bp_desc, NULL); /* RCU_INIT_POINTER */
- if (!atomic_dec_and_test(&desc.refs))
- atomic_cond_read_acquire(&desc.refs, !VAL);
+ if (!atomic_dec_and_test(&bp_desc.refs))
+ atomic_cond_read_acquire(&bp_desc.refs, !VAL);
}
static void text_poke_loc_init(struct text_poke_loc *tp, void *addr,
next prev parent reply other threads:[~2022-10-03 7:37 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-03 7:11 [PATCH 5.10 00/52] 5.10.147-rc1 review Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 01/52] thunderbolt: Add support for Intel Maple Ridge Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 02/52] thunderbolt: Add support for Intel Maple Ridge single port controller Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 03/52] ALSA: hda/tegra: Use clk_bulk helpers Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 04/52] ALSA: hda/tegra: Reset hardware Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 05/52] ALSA: hda/hdmi: let new platforms assign the pcm slot dynamically Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 06/52] ALSA: hda: Fix Nvidia dp infoframe Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 07/52] btrfs: fix hang during unmount when stopping a space reclaim worker Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 08/52] uas: add no-uas quirk for Hiksemi usb_disk Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 09/52] usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 10/52] uas: ignore UAS for Thinkplus chips Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 11/52] usb: typec: ucsi: Remove incorrect warning Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 12/52] thunderbolt: Explicitly reset plug events delay back to USB4 spec value Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 13/52] net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 14/52] Input: snvs_pwrkey - fix SNVS_HPVIDR1 register address Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 15/52] clk: ingenic-tcu: Properly enable registers before accessing timers Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 16/52] ARM: dts: integrator: Tag PCI host with device_type Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 17/52] ntfs: fix BUG_ON in ntfs_lookup_inode_by_name() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 18/52] net: mt7531: only do PLL once after the reset Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 19/52] powerpc/64s/radix: dont need to broadcast IPI for radix pmd collapse flush Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 20/52] libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 21/52] mmc: moxart: fix 4-bit bus width and remove 8-bit bus width Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 22/52] mmc: hsq: Fix data stomping during mmc recovery Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 23/52] mm/page_alloc: fix race condition between build_all_zonelists and page allocation Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 24/52] mm: prevent page_frag_alloc() from corrupting the memory Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 25/52] mm/migrate_device.c: flush TLB while holding PTL Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 26/52] mm: fix madivse_pageout mishandling on non-LRU page Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 27/52] media: dvb_vb2: fix possible out of bound access Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 28/52] media: rkvdec: Disable H.264 error detection Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 29/52] swiotlb: max mapping size takes min align mask into account Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 30/52] scsi: hisi_sas: Revert "scsi: hisi_sas: Limit max hw sectors for v3 HW" Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 31/52] ARM: dts: am33xx: Fix MMCHS0 dma properties Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 32/52] reset: imx7: Fix the iMX8MP PCIe PHY PERST support Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 33/52] soc: sunxi: sram: Actually claim SRAM regions Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 34/52] soc: sunxi: sram: Prevent the driver from being unbound Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 35/52] soc: sunxi_sram: Make use of the helper function devm_platform_ioremap_resource() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 36/52] soc: sunxi: sram: Fix probe function ordering issues Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 37/52] soc: sunxi: sram: Fix debugfs info for A64 SRAM C Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 38/52] ASoC: tas2770: Reinit regcache on reset Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 39/52] Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in suspend/resume time" Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 40/52] Input: melfas_mip4 - fix return value check in mip4_probe() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 41/52] usbnet: Fix memory leak in usbnet_disconnect() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 42/52] net: sched: act_ct: fix possible refcount leak in tcf_ct_init() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 43/52] cxgb4: fix missing unlock on ETHOFLD desc collect fail path Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 44/52] nvme: add new line after variable declatation Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 45/52] nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 46/52] net: stmmac: power up/down serdes in stmmac_open/release Greg Kroah-Hartman
2022-10-04 10:16 ` Pavel Machek
2022-10-03 7:11 ` [PATCH 5.10 47/52] selftests: Fix the if conditions of in test_extra_filter() Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 48/52] clk: imx: imx6sx: remove the SET_RATE_PARENT flag for QSPI clocks Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 49/52] clk: iproc: Do not rely on node name for correct PLL setup Greg Kroah-Hartman
2022-10-03 7:11 ` [PATCH 5.10 50/52] KVM: x86: Hide IA32_PLATFORM_DCA_CAP[31:0] from the guest Greg Kroah-Hartman
2022-10-03 7:11 ` Greg Kroah-Hartman [this message]
2022-10-03 7:11 ` [PATCH 5.10 52/52] ALSA: hda/hdmi: fix warning about PCM count when used with SOF Greg Kroah-Hartman
2022-10-03 11:31 ` [PATCH 5.10 00/52] 5.10.147-rc1 review Jon Hunter
2022-10-03 13:50 ` Pavel Machek
2022-10-03 16:43 ` Allen Pais
2022-10-03 17:52 ` Guenter Roeck
2022-10-03 18:14 ` Florian Fainelli
2022-10-03 20:41 ` Slade Watkins
2022-10-04 8:41 ` Naresh Kamboju
2022-10-04 11:39 ` Sudip Mukherjee (Codethink)
2022-10-07 14:44 ` zhouzhixiu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221003070720.238567508@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=namit@vmware.com \
--cc=peterz@infradead.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.