From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B136EC4332F for ; Tue, 31 Oct 2023 11:19:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:In-Reply-To: Date:From:Cc:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:References: List-Owner; bh=mbFUsANLHTd6SIwFS72f/sYLsQKL0zQ0OfFt5R0WpR8=; b=kwJ7RLdm9E413l TEg7ecLhai2lxPof9MEJnR/H+wt+lyp0ApivTvIpmpoyutP4IHEWVrPQY3ArP04FlWBmWCXU1T54m JADxUFHB+lM+UgySMR3J6sqbpTlrYrJsBL1kPwAuWeoAW8qVPSmJdhV2pJtzF10eQvvZn5WwtVERL /mJMGoI44ioX1i0ZNobvuyuixkefBlzZyJ4vxiOLDAYFIEMZsOAYNT6ghXvInbMjFwgXM/kaqbUYL VJZ011rnnED2sMf5Pe0wu3KbsLSFk89xBN7bDslBWJ4FLMg/1nfSDK7xkxP+guuYiy9pZRFBnVoy6 qUKjNuy2zyVrGinsdjtA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qxmld-0059Or-0T; Tue, 31 Oct 2023 11:18:41 +0000 Received: from sin.source.kernel.org ([145.40.73.55]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qxmlV-0059OB-1N for linux-arm-kernel@lists.infradead.org; Tue, 31 Oct 2023 11:18:35 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 865C3CE0A15; Tue, 31 Oct 2023 11:18:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 634B5C433C8; Tue, 31 Oct 2023 11:18:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1698751110; bh=TE3iklMMZwwDocmdmfmZ8/iTnkFrfd3o+0hMf7kMYPQ=; h=Subject:To:Cc:From:Date:In-Reply-To:From; b=m3WUWblbXmFHE/QmlwdSLbVWtHjeS/M06tlfTaz7JjRGgzu41rA0qLrTzZx04X+JH iha+H6o1F++7CUE0RZy1YzcZkNsZsLEoWQ/qvd9k9RTfktdgRtswsoK0HcdH+5jihw WITmJe4q3GGl1okVIpYZl2gNlZSb/hlhflHPLqXg= Subject: Patch "arm64: fix a concurrency issue in emulation_proc_handler()" has been added to the 4.19-stable tree To: catalin.marinas@arm.com,gregkh@linuxfoundation.org,linux-arm-kernel@lists.infradead.org,mark.rutland@arm.com,ruanjinjie@huawei.com,will.deacon@arm.com Cc: From: Date: Tue, 31 Oct 2023 12:18:27 +0100 In-Reply-To: <20231030063709.2443546-1-ruanjinjie@huawei.com> Message-ID: <2023103127-slab-animating-a149@gregkh> MIME-Version: 1.0 X-stable: commit X-Patchwork-Hint: ignore X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20231031_041833_821197_8CA3AD5C X-CRM114-Status: GOOD ( 18.34 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org This is a note to let you know that I've just added the patch titled arm64: fix a concurrency issue in emulation_proc_handler() to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: arm64-fix-a-concurrency-issue-in-emulation_proc_handler.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >From ruanjinjie@huawei.com Tue Oct 31 12:17:33 2023 From: Jinjie Ruan Date: Mon, 30 Oct 2023 06:37:09 +0000 Subject: arm64: fix a concurrency issue in emulation_proc_handler() To: , , , , , Cc: Message-ID: <20231030063709.2443546-1-ruanjinjie@huawei.com> From: Jinjie Ruan In linux-6.1, the related code is refactored in commit 124c49b1b5d9 ("arm64: armv8_deprecated: rework deprected instruction handling") and this issue was incidentally fixed. I have adapted the patch set to linux stable 5.10. However, 4.19 and 5.10 are too different and the patch set is hard to adapt to 4.19. This patch is to solve the problem of repeated addition of linked lists described below with few changes. How to reproduce: CONFIG_ARMV8_DEPRECATED=y, CONFIG_SWP_EMULATION=y, and CONFIG_DEBUG_LIST=y, then launch two shell executions: #!/bin/bash while [ 1 ]; do echo 1 > /proc/sys/abi/swp done or "echo 1 > /proc/sys/abi/swp" and then aunch two shell executions: #!/bin/bash while [ 1 ]; do echo 0 > /proc/sys/abi/swp done In emulation_proc_handler(), read and write operations are performed on insn->current_mode. In the concurrency scenario, mutex only protects writing insn->current_mode, and not protects the read. Suppose there are two concurrent tasks, task1 updates insn->current_mode to INSN_EMULATE in the critical section, the prev_mode of task2 is still the old data INSN_UNDEF of insn->current_mode. As a result, two tasks call update_insn_emulation_mode twice with prev_mode = INSN_UNDEF and current_mode = INSN_EMULATE, then call register_emulation_hooks twice, resulting in a list_add double problem. After applying this patch, the following list add or list del double warnings never occur. Call trace: __list_add_valid+0xd8/0xe4 register_undef_hook+0x94/0x13c update_insn_emulation_mode+0xd0/0x12c emulation_proc_handler+0xd8/0xf4 proc_sys_call_handler+0x140/0x250 proc_sys_write+0x1c/0x2c new_sync_write+0xec/0x18c vfs_write+0x214/0x2ac ksys_write+0x70/0xfc __arm64_sys_write+0x24/0x30 el0_svc_common.constprop.0+0x7c/0x1bc do_el0_svc+0x2c/0x94 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Call trace: __list_del_entry_valid+0xac/0x110 unregister_undef_hook+0x34/0x80 update_insn_emulation_mode+0xf0/0x180 emulation_proc_handler+0x8c/0xd8 proc_sys_call_handler+0x1d8/0x208 proc_sys_write+0x14/0x20 new_sync_write+0xf0/0x190 vfs_write+0x304/0x388 ksys_write+0x6c/0x100 __arm64_sys_write+0x1c/0x28 el0_svc_common.constprop.4+0x68/0x188 do_el0_svc+0x24/0xa0 el0_svc+0x14/0x20 el0_sync_handler+0x90/0xb8 el0_sync+0x160/0x180 Fixes: af483947d472 ("arm64: fix oops in concurrently setting insn_emulation sysctls") Cc: stable@vger.kernel.org#4.19.x Cc: gregkh@linuxfoundation.org Signed-off-by: Jinjie Ruan Acked-by: Mark Rutland Signed-off-by: Greg Kroah-Hartman --- arch/arm64/kernel/armv8_deprecated.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/arch/arm64/kernel/armv8_deprecated.c +++ b/arch/arm64/kernel/armv8_deprecated.c @@ -211,10 +211,12 @@ static int emulation_proc_handler(struct loff_t *ppos) { int ret = 0; - struct insn_emulation *insn = container_of(table->data, struct insn_emulation, current_mode); - enum insn_emulation_mode prev_mode = insn->current_mode; + struct insn_emulation *insn; + enum insn_emulation_mode prev_mode; mutex_lock(&insn_emulation_mutex); + insn = container_of(table->data, struct insn_emulation, current_mode); + prev_mode = insn->current_mode; ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); if (ret || !write || prev_mode == insn->current_mode) Patches currently in stable-queue which might be from ruanjinjie@huawei.com are queue-4.19/arm64-fix-a-concurrency-issue-in-emulation_proc_handler.patch _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel