leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8526ad9646
linux/drivers
History
Taehee Yoo 8526ad9646 netdevsim: fix panic in nsim_dev_take_snapshot_write() 
nsim_dev_take_snapshot_write() uses nsim_dev and nsim_dev->dummy_region.
So, during this function, these data shouldn't be removed.
But there is no protecting stuff in this function.

There are two similar cases.
1. reload case
reload could be called during nsim_dev_take_snapshot_write().
When reload is being executed, nsim_dev_reload_down() is called and it
calls nsim_dev_reload_destroy(). nsim_dev_reload_destroy() calls
devlink_region_destroy() to destroy nsim_dev->dummy_region.
So, during nsim_dev_take_snapshot_write(), nsim_dev->dummy_region()
would be removed.
At this point, snapshot_write() would access freed pointer.
In order to fix this case, take_snapshot file will be removed before
devlink_region_destroy().
The take_snapshot file will be re-created by ->reload_up().

2. del_device_store case
del_device_store() also could call nsim_dev_reload_destroy()
during nsim_dev_take_snapshot_write(). If so, panic would occur.
This problem is actually the same problem with the first case.
So, this problem will be fixed by the first case's solution.

Test commands:
    modprobe netdevsim
    while :
    do
        echo 1 > /sys/bus/netdevsim/new_device &
        echo 1 > /sys/bus/netdevsim/del_device &
	devlink dev reload netdevsim/netdevsim1 &
	echo 1 > /sys/kernel/debug/netdevsim/netdevsim1/take_snapshot &
    done

Splat looks like:
[   45.564513][  T975] general protection fault, probably for non-canonical address 0xdffffc000000003a: 0000 [#1] SMP DEI
[   45.566131][  T975] KASAN: null-ptr-deref in range [0x00000000000001d0-0x00000000000001d7]
[   45.566135][  T975] CPU: 1 PID: 975 Comm: bash Not tainted 5.5.0+ #322
[   45.569020][  T975] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[   45.569026][  T975] RIP: 0010:__mutex_lock+0x10a/0x14b0
[   45.570518][  T975] Code: 08 84 d2 0f 85 7f 12 00 00 44 8b 0d 10 23 65 02 45 85 c9 75 29 49 8d 7f 68 48 b8 00 00 00 0f
[   45.570522][  T975] RSP: 0018:ffff888046ccfbf0 EFLAGS: 00010206
[   45.572305][  T975] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   45.572308][  T975] RDX: 000000000000003a RSI: ffffffffac926440 RDI: 00000000000001d0
[   45.576843][  T975] RBP: ffff888046ccfd70 R08: ffffffffab610645 R09: 0000000000000000
[   45.576847][  T975] R10: ffff888046ccfd90 R11: ffffed100d6360ad R12: 0000000000000000
[   45.578471][  T975] R13: dffffc0000000000 R14: ffffffffae1976c0 R15: 0000000000000168
[   45.578475][  T975] FS:  00007f614d6e7740(0000) GS:ffff88806c400000(0000) knlGS:0000000000000000
[   45.581492][  T975] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   45.582942][  T975] CR2: 00005618677d1cf0 CR3: 000000005fb9c002 CR4: 00000000000606e0
[   45.584543][  T975] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   45.586633][  T975] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   45.589889][  T975] Call Trace:
[   45.591445][  T975]  ? devlink_region_snapshot_create+0x55/0x4a0
[   45.601250][  T975]  ? mutex_lock_io_nested+0x1380/0x1380
[   45.602817][  T975]  ? mutex_lock_io_nested+0x1380/0x1380
[   45.603875][  T975]  ? mark_held_locks+0xa5/0xe0
[   45.604769][  T975]  ? _raw_spin_unlock_irqrestore+0x2d/0x50
[   45.606147][  T975]  ? __mutex_unlock_slowpath+0xd0/0x670
[   45.607723][  T975]  ? crng_backtrack_protect+0x80/0x80
[   45.613530][  T975]  ? wait_for_completion+0x390/0x390
[   45.615152][  T975]  ? devlink_region_snapshot_create+0x55/0x4a0
[   45.616834][  T975]  devlink_region_snapshot_create+0x55/0x4a0
[ ... ]

Fixes: 4418f862d6 ("netdevsim: implement support for devlink region and snapshots")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2020-02-03 15:32:20 -08:00
..
accessibility
acpi drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
amba
android for-5.6/io_uring-vfs-2020-01-29 2020-01-29 18:53:37 -08:00
ata SCSI misc on 20200129 2020-01-29 18:16:16 -08:00
atm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
auxdisplay drm-misc-next for v5.6: 2019-12-17 13:57:54 +01:00
base SCSI misc on 20200129 2020-01-29 18:16:16 -08:00
bcma Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
block SCSI misc on 20200129 2020-01-29 18:16:16 -08:00
bluetooth Bluetooth: btrtl: Use kvmalloc for FW allocations 2020-01-24 19:57:53 +01:00
bus Char/Misc driver changes for 5.6-rc1 2020-01-29 10:35:54 -08:00
cdrom compat_ioctl: move cdrom commands into cdrom.c 2020-01-03 09:42:52 +01:00
char Char/Misc driver changes for 5.6-rc1 2020-01-29 10:35:54 -08:00
clk ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
clocksource The timekeeping and timers departement provides: 2020-01-27 16:47:05 -08:00
connector
counter
cpufreq ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
cpuidle Merge branch 'intel_idle+acpi' 2020-01-23 00:35:50 +01:00
crypto Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
dax
dca
devfreq PM / devfreq: Add debugfs support with devfreq_summary file 2020-01-16 19:14:49 +09:00
dio
dma ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
dma-buf drm-misc-next for v5.6: 2020-01-03 11:43:44 +10:00
edac ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
eisa
extcon extcon: sm5502: Remove unneeded semicolon 2019-12-16 10:23:19 +09:00
firewire remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
firmware Char/Misc driver changes for 5.6-rc1 2020-01-29 10:35:54 -08:00
fpga fpga: xilinx-pr-decoupler: Remove clk_get error message for probe defer 2020-01-10 12:51:56 -08:00
fsi
gnss
gpio This is the bulk of pin control changes for the v5.6 kernel cycle: 2020-01-29 09:51:36 -08:00
gpu drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
greybus
hid drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
hsi
hv clocksource/drivers/hyper-v: Untangle stimers and timesync from clocksources 2020-01-16 19:09:02 +01:00
hwmon ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
hwspinlock
hwtracing coresight: etm4x: Fix unused function warning 2020-01-14 15:38:28 +01:00
i2c ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
i3c i3c: master: dw: reattach device on first available location of address table 2020-01-13 10:00:05 +01:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide 2020-01-30 07:39:10 -08:00
idle Merge branch 'x86-cpu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2020-01-28 12:46:42 -08:00
iio Merge 5.5-rc7 into staging-next 2020-01-22 09:05:34 +01:00
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
input ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
interconnect interconnect: qcom: Add MSM8916 interconnect provider driver 2020-01-07 09:30:09 +02:00
iommu ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
ipack remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
irqchip The interrupt departement provides: 2020-01-27 17:22:21 -08:00
isdn isdn: don't mark kcapi_proc_exit as __exit 2019-12-17 08:59:57 +01:00
leds leds: lm3532: add pointer to documentation and fix typo 2020-01-22 21:08:24 +01:00
lightnvm
macintosh
mailbox
mcb
md - Fix DM core's potential for q->make_request_fn NULL pointer in the 2020-01-29 18:08:49 -08:00
media drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
memory
memstick
message Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net 2020-01-19 22:10:04 +01:00
mfd drm/i915/dsi: Move Crystal Cove PMIC panel GPIO lookup from mfd to the i915 driver 2020-01-03 11:47:00 +01:00
misc drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
mmc ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
mtd ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
mux
net netdevsim: fix panic in nsim_dev_take_snapshot_write() 2020-02-03 15:32:20 -08:00
nfc Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net 2020-01-19 22:10:04 +01:00
ntb
nubus
nvdimm
nvme for-5.6/block-2020-01-27 2020-01-27 12:38:25 -08:00
nvmem nvmem: add QTI SDAM driver 2020-01-16 20:56:49 +01:00
of net: mii_timestamper: fix static allocation by PHY driver 2020-01-31 07:46:11 -08:00
opp ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
oprofile
parisc remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
parport
pci ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
pcmcia
perf perf/imx_ddr: Fix cpu hotplug state cleanup 2020-01-15 12:48:40 +00:00
phy USB/Thunderbolt/PHY driver updates for 5.6-rc1 2020-01-29 10:09:44 -08:00
pinctrl This is the bulk of pin control changes for the v5.6 kernel cycle: 2020-01-29 09:51:36 -08:00
platform ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
pnp PNP: isapnp: remove defined but not used function 'isapnp_checksum' 2020-01-23 00:26:13 +01:00
power power supply and reset changes for the v5.6 series 2020-01-30 07:51:24 -08:00
powercap Merge back power capping changes for v5.6. 2020-01-13 10:32:19 +01:00
pps
ps3
ptp Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net 2020-01-19 22:10:04 +01:00
pwm
rapidio
ras
regulator ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
remoteproc
reset
rpmsg
rtc ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
s390 s390/qeth: remove HARDSETUP state 2020-01-26 15:20:32 +01:00
sbus
scsi SCSI misc on 20200129 2020-01-29 18:16:16 -08:00
sfi
sh remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
siox siox: Use the correct style for SPDX License Identifier 2020-01-14 21:46:53 +01:00
slimbus slimbus: qcom: add missed clk_disable_unprepare in remove 2020-01-14 21:46:48 +01:00
soc drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
soundwire soundwire: cadence: fix kernel-doc parameter descriptions 2020-01-16 17:34:38 +05:30
spi ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
spmi
ssb remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
staging drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
target SCSI misc on 20200129 2020-01-29 18:16:16 -08:00
tc remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
tee drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
thermal - Depromote debug print on the db8500 platform (Linus Walleij) 2020-01-28 16:31:08 -08:00
thunderbolt thunderbolt: fix memory leak of object sw 2020-01-14 15:37:41 +01:00
tty TTY/Serial driver updates for 5.6-rc1 2020-01-29 10:13:27 -08:00
uio uio: uio_pdrv_genirq: Do not log an error when deferring probe routine. 2020-01-14 15:27:51 +01:00
usb USB/Thunderbolt/PHY driver updates for 5.6-rc1 2020-01-29 10:09:44 -08:00
vfio remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
vhost
video drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
virt
virtio
visorbus visorbus: fix uninitialized variable access 2020-01-14 15:30:35 +01:00
vlynq
vme Char/Misc driver changes for 5.6-rc1 2020-01-29 10:35:54 -08:00
w1 Char/Misc driver changes for 5.6-rc1 2020-01-29 10:35:54 -08:00
watchdog ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
xen drm pull for 5.6-rc1 2020-01-30 08:04:01 -08:00
zorro
Kconfig
Makefile thunderbolt: Update Kconfig entries to USB4 2019-12-18 15:39:18 +01:00