From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Daniel Jordan <daniel.m.jordan@oracle.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
linux-crypto@vger.kernel.org,
Yang Yingliang <yangyingliang@huawei.com>
Subject: [PATCH 4.19 16/16] padata: add separate cpuhp node for CPUHP_PADATA_DEAD
Date: Fri, 6 Aug 2021 10:15:07 +0200 [thread overview]
Message-ID: <20210806081111.662287213@linuxfoundation.org> (raw)
In-Reply-To: <20210806081111.144943357@linuxfoundation.org>
From: Daniel Jordan <daniel.m.jordan@oracle.com>
commit 3c2214b6027ff37945799de717c417212e1a8c54 upstream.
Removing the pcrypt module triggers this:
general protection fault, probably for non-canonical
address 0xdead000000000122
CPU: 5 PID: 264 Comm: modprobe Not tainted 5.6.0+ #2
Hardware name: QEMU Standard PC
RIP: 0010:__cpuhp_state_remove_instance+0xcc/0x120
Call Trace:
padata_sysfs_release+0x74/0xce
kobject_put+0x81/0xd0
padata_free+0x12/0x20
pcrypt_exit+0x43/0x8ee [pcrypt]
padata instances wrongly use the same hlist node for the online and dead
states, so __padata_free()'s second cpuhp remove call chokes on the node
that the first poisoned.
cpuhp multi-instance callbacks only walk forward in cpuhp_step->list and
the same node is linked in both the online and dead lists, so the list
corruption that results from padata_alloc() adding the node to a second
list without removing it from the first doesn't cause problems as long
as no instances are freed.
Avoid the issue by giving each state its own node.
Fixes: 894c9ef9780c ("padata: validate cpumask without removed CPU during offline")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org # v5.4+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/padata.h | 6 ++++--
kernel/padata.c | 14 ++++++++------
2 files changed, 12 insertions(+), 8 deletions(-)
--- a/include/linux/padata.h
+++ b/include/linux/padata.h
@@ -138,7 +138,8 @@ struct parallel_data {
/**
* struct padata_instance - The overall control structure.
*
- * @cpu_notifier: cpu hotplug notifier.
+ * @cpu_online_node: Linkage for CPU online callback.
+ * @cpu_dead_node: Linkage for CPU offline callback.
* @wq: The workqueue in use.
* @pd: The internal control structure.
* @cpumask: User supplied cpumasks for parallel and serial works.
@@ -150,7 +151,8 @@ struct parallel_data {
* @flags: padata flags.
*/
struct padata_instance {
- struct hlist_node node;
+ struct hlist_node cpu_online_node;
+ struct hlist_node cpu_dead_node;
struct workqueue_struct *wq;
struct parallel_data *pd;
struct padata_cpumask cpumask;
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -748,7 +748,7 @@ static int padata_cpu_online(unsigned in
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpu_online_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
@@ -763,7 +763,7 @@ static int padata_cpu_dead(unsigned int
struct padata_instance *pinst;
int ret;
- pinst = hlist_entry_safe(node, struct padata_instance, node);
+ pinst = hlist_entry_safe(node, struct padata_instance, cpu_dead_node);
if (!pinst_has_cpu(pinst, cpu))
return 0;
@@ -779,8 +779,9 @@ static enum cpuhp_state hp_online;
static void __padata_free(struct padata_instance *pinst)
{
#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD, &pinst->node);
- cpuhp_state_remove_instance_nocalls(hp_online, &pinst->node);
+ cpuhp_state_remove_instance_nocalls(CPUHP_PADATA_DEAD,
+ &pinst->cpu_dead_node);
+ cpuhp_state_remove_instance_nocalls(hp_online, &pinst->cpu_online_node);
#endif
padata_stop(pinst);
@@ -964,9 +965,10 @@ static struct padata_instance *padata_al
mutex_init(&pinst->lock);
#ifdef CONFIG_HOTPLUG_CPU
- cpuhp_state_add_instance_nocalls_cpuslocked(hp_online, &pinst->node);
+ cpuhp_state_add_instance_nocalls_cpuslocked(hp_online,
+ &pinst->cpu_online_node);
cpuhp_state_add_instance_nocalls_cpuslocked(CPUHP_PADATA_DEAD,
- &pinst->node);
+ &pinst->cpu_dead_node);
#endif
return pinst;
next prev parent reply other threads:[~2021-08-06 8:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-06 8:14 [PATCH 4.19 00/16] 4.19.202-rc1 review Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 01/16] btrfs: mark compressed range uptodate only if all bio succeed Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 02/16] regulator: rt5033: Fix n_voltages settings for BUCK and LDO Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 03/16] ASoC: tlv320aic31xx: fix reversed bclk/wclk master bits Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 04/16] r8152: Fix potential PM refcount imbalance Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 05/16] qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union() Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 06/16] net: Fix zero-copy head len calculation Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 07/16] bdi: move bdi_dev_name out of line Greg Kroah-Hartman
2021-08-06 8:14 ` [PATCH 4.19 08/16] bdi: use bdi_dev_name() to get device name Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 09/16] bdi: add a ->dev_name field to struct backing_dev_info Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 10/16] Revert "spi: mediatek: fix fifo rx mode" Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 11/16] Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled" Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 12/16] drm/i915: Ensure intel_engine_init_execlist() builds with Clang Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 13/16] firmware: arm_scmi: Ensure drivers provide a probe function Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 14/16] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" Greg Kroah-Hartman
2021-08-06 8:15 ` [PATCH 4.19 15/16] padata: validate cpumask without removed CPU during offline Greg Kroah-Hartman
2021-08-06 8:15 ` Greg Kroah-Hartman [this message]
2021-08-06 12:31 ` [PATCH 4.19 00/16] 4.19.202-rc1 review Pavel Machek
2021-08-06 14:33 ` Jon Hunter
2021-08-06 18:58 ` Guenter Roeck
2021-08-07 10:42 ` Sudip Mukherjee
2021-08-07 18:44 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210806081111.662287213@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel.m.jordan@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox