[GIT pull] ras fixes for 5.6-rc3

From: Thomas Gleixner
Date: Sat Feb 22 2020 - 16:07:04 EST

Next message: Guenter Roeck: "Re: [regression] nct6775 does not load in 5.4 and 5.5, bisected to b84398d6d7f90080"
Previous message: Thomas Gleixner: "[GIT pull] irq fixes for 5.6-rc3"
In reply to: pr-tracker-bot: "Re: [GIT pull] x86 fixes for 5.6-rc3"
Next in thread: pr-tracker-bot: "Re: [GIT pull] ras fixes for 5.6-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Linus,

please pull the latest ras/urgent branch from:

git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git ras-urgent-2020-02-22

up to: 51dede9c05df: x86/mce/amd: Fix kobject lifetime

Two fixes for the AMD MCE driver:

- Populate the per CPU MCA bank descriptor pointer only after it has been
completely set up to prevent a use-after-free in case that one of the
subsequent initialization step fails

- Implement a proper release function for the sysfs entries of MCA
threshold controls instead of freeing the memory right in the CPU
teardown code, which leads to another use-after-free when the
associated sysfs file is opened and accessed.

Thanks,

tglx

------------------>
Borislav Petkov (1):
x86/mce/amd: Publish the bank pointer only after setup has succeeded

Thomas Gleixner (1):
x86/mce/amd: Fix kobject lifetime

arch/x86/kernel/cpu/mce/amd.c | 50 +++++++++++++++++++++++--------------------
1 file changed, 27 insertions(+), 23 deletions(-)

diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c
index b3a50d962851..52de616a8065 100644
--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -1163,9 +1163,12 @@ static const struct sysfs_ops threshold_ops = {
.store = store,
};

+static void threshold_block_release(struct kobject *kobj);
+
static struct kobj_type threshold_ktype = {
.sysfs_ops = &threshold_ops,
.default_attrs = default_attrs,
+ .release = threshold_block_release,
};

static const char *get_name(unsigned int bank, struct threshold_block *b)
@@ -1198,8 +1201,9 @@ static const char *get_name(unsigned int bank, struct threshold_block *b)
return buf_mcatype;
}

-static int allocate_threshold_blocks(unsigned int cpu, unsigned int bank,
- unsigned int block, u32 address)
+static int allocate_threshold_blocks(unsigned int cpu, struct threshold_bank *tb,
+ unsigned int bank, unsigned int block,
+ u32 address)
{
struct threshold_block *b = NULL;
u32 low, high;
@@ -1243,16 +1247,12 @@ static int allocate_threshold_blocks(unsigned int cpu, unsigned int bank,

INIT_LIST_HEAD(&b->miscj);

- if (per_cpu(threshold_banks, cpu)[bank]->blocks) {
- list_add(&b->miscj,
- &per_cpu(threshold_banks, cpu)[bank]->blocks->miscj);
- } else {
- per_cpu(threshold_banks, cpu)[bank]->blocks = b;
- }
+ if (tb->blocks)
+ list_add(&b->miscj, &tb->blocks->miscj);
+ else
+ tb->blocks = b;

- err = kobject_init_and_add(&b->kobj, &threshold_ktype,
- per_cpu(threshold_banks, cpu)[bank]->kobj,
- get_name(bank, b));
+ err = kobject_init_and_add(&b->kobj, &threshold_ktype, tb->kobj, get_name(bank, b));
if (err)
goto out_free;
recurse:
@@ -1260,7 +1260,7 @@ static int allocate_threshold_blocks(unsigned int cpu, unsigned int bank,
if (!address)
return 0;

- err = allocate_threshold_blocks(cpu, bank, block, address);
+ err = allocate_threshold_blocks(cpu, tb, bank, block, address);
if (err)
goto out_free;

@@ -1345,8 +1345,6 @@ static int threshold_create_bank(unsigned int cpu, unsigned int bank)
goto out_free;
}

- per_cpu(threshold_banks, cpu)[bank] = b;
-
if (is_shared_bank(bank)) {
refcount_set(&b->cpus, 1);

@@ -1357,9 +1355,13 @@ static int threshold_create_bank(unsigned int cpu, unsigned int bank)
}
}

- err = allocate_threshold_blocks(cpu, bank, 0, msr_ops.misc(bank));
- if (!err)
- goto out;
+ err = allocate_threshold_blocks(cpu, b, bank, 0, msr_ops.misc(bank));
+ if (err)
+ goto out_free;
+
+ per_cpu(threshold_banks, cpu)[bank] = b;
+
+ return 0;

out_free:
kfree(b);
@@ -1368,8 +1370,12 @@ static int threshold_create_bank(unsigned int cpu, unsigned int bank)
return err;
}

-static void deallocate_threshold_block(unsigned int cpu,
- unsigned int bank)
+static void threshold_block_release(struct kobject *kobj)
+{
+ kfree(to_block(kobj));
+}
+
+static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
{
struct threshold_block *pos = NULL;
struct threshold_block *tmp = NULL;
@@ -1379,13 +1385,11 @@ static void deallocate_threshold_block(unsigned int cpu,
return;

list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
- kobject_put(&pos->kobj);
list_del(&pos->miscj);
- kfree(pos);
+ kobject_put(&pos->kobj);
}

- kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
- per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
+ kobject_put(&head->blocks->kobj);
}

static void __threshold_remove_blocks(struct threshold_bank *b)

Next message: Guenter Roeck: "Re: [regression] nct6775 does not load in 5.4 and 5.5, bisected to b84398d6d7f90080"
Previous message: Thomas Gleixner: "[GIT pull] irq fixes for 5.6-rc3"
In reply to: pr-tracker-bot: "Re: [GIT pull] x86 fixes for 5.6-rc3"
Next in thread: pr-tracker-bot: "Re: [GIT pull] ras fixes for 5.6-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]