linux/drivers/edac
James Morse 1e72e673b9 EDAC/ghes: Fix Use after free in ghes_edac remove path
ghes_edac models a single logical memory controller, and uses a global
ghes_init variable to ensure only the first ghes_edac_register() will
do anything.

ghes_edac is registered the first time a GHES entry in the HEST is
probed. There may be multiple entries, so subsequent attempts to
register ghes_edac are silently ignored as the work has already been
done.

When a GHES entry is unregistered, it calls ghes_edac_unregister(),
which free()s the memory behind the global variables in ghes_edac.

But there may be multiple GHES entries, the next call to
ghes_edac_unregister() will dereference the free()d memory, and attempt
to free it a second time.

This may also be triggered on a platform with one GHES entry, if the
driver is unbound/re-bound and unbound. The re-bind step will do
nothing because of ghes_init, the second unbind will then do the same
work as the first.

Doing the unregister work on the first call is unsafe, as another
CPU may be processing a notification in ghes_edac_report_mem_error(),
using the memory we are about to free.

ghes_init is already half of the reference counting. We only need
to do the register work for the first call, and the unregister work
for the last. Add the unregister check.

This means we no longer free ghes_edac's memory while there are
GHES entries that may receive a notification.

This was detected by KASAN and DEBUG_TEST_DRIVER_REMOVE.

 [ bp: merge into a single patch. ]

Fixes: 0fe5f281f7 ("EDAC, ghes: Model a single, logical memory controller")
Reported-by: John Garry <john.garry@huawei.com>
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: Robert Richter <rrichter@marvell.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20191014171919.85044-2-james.morse@arm.com
Link: https://lkml.kernel.org/r/304df85b-8b56-b77e-1a11-aa23769f2e7c@huawei.com
2019-10-17 11:27:05 +02:00
..
altera_edac.c EDAC/altera: Use the proper type for the IRQ status bits 2019-08-07 10:37:34 +02:00
altera_edac.h edac: altera: Move Stratix10 SDRAM ECC to peripheral 2019-07-25 14:28:42 -04:00
amd64_edac_dbg.c
amd64_edac_inj.c
amd64_edac.c EDAC/amd64: Add PCI device IDs for family 17h, model 70h 2019-09-07 07:29:27 +02:00
amd64_edac.h EDAC/amd64: Add PCI device IDs for family 17h, model 70h 2019-09-07 07:29:27 +02:00
amd76x_edac.c
amd8111_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
amd8111_edac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
amd8131_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
amd8131_edac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
armada_xp_edac.c ARM: 8891/1: EDAC: armada_xp: Add support for more SoCs 2019-08-29 07:58:01 +01:00
aspeed_edac.c EDAC/aspeed: Remove set but not used variable 'np' 2019-06-20 11:44:36 -07:00
bluefield_edac.c EDAC, mellanox: Add ECC support for BlueField DDR4 2019-08-08 12:57:01 -03:00
cell_edac.c
cpc925_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
debugfs.c ARM: 8892/1: EDAC: Add missing debugfs_create_x32 wrapper 2019-08-29 07:58:01 +01:00
e7xxx_edac.c
e752x_edac.c EDAC: Fix indentation issues in several EDAC drivers 2018-11-10 16:56:16 +01:00
edac_device_sysfs.c
edac_device.c
edac_device.h
edac_mc_sysfs.c EDAC/mc_sysfs: Make debug messages consistent 2019-09-04 11:39:19 +02:00
edac_mc.c EDAC: Prefer 'unsigned int' to bare use of 'unsigned' 2019-09-03 19:21:19 +02:00
edac_mc.h EDAC: Prefer 'unsigned int' to bare use of 'unsigned' 2019-09-03 19:21:19 +02:00
edac_module.c
edac_module.h ARM: 8892/1: EDAC: Add missing debugfs_create_x32 wrapper 2019-08-29 07:58:01 +01:00
edac_pci_sysfs.c
edac_pci.c
edac_pci.h
fsl_ddr_edac.c EDAC, fsl_ddr: Add LS1021A to the list of supported hardware 2018-12-19 11:57:45 +01:00
fsl_ddr_edac.h EDAC, fsl_ddr: Add LS1021A to the list of supported hardware 2018-12-19 11:57:45 +01:00
ghes_edac.c EDAC/ghes: Fix Use after free in ghes_edac remove path 2019-10-17 11:27:05 +02:00
highbank_l2_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
highbank_mc_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
i7core_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 172 2019-05-30 11:26:39 -07:00
i10nm_base.c x86/intel: Aggregate microserver naming 2019-08-28 11:29:32 +02:00
i3000_edac.c EDAC: Fix indentation issues in several EDAC drivers 2018-11-10 16:56:16 +01:00
i3200_edac.c
i5000_edac.c EDAC, i5000: Remove set but not used local variables 2018-12-11 14:53:49 +01:00
i5100_edac.c EDAC: Prefer 'unsigned int' to bare use of 'unsigned' 2019-09-03 19:21:19 +02:00
i5400_edac.c
i7300_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 172 2019-05-30 11:26:39 -07:00
i82443bxgx_edac.c
i82860_edac.c
i82875p_edac.c
i82975x_edac.c EDAC, i82975x: Fix spelling mistake "reserverd" -> "reserved" 2018-11-20 17:46:01 +01:00
ie31200_edac.c EDAC/ie31200: Reformat PCI device table 2019-06-20 11:44:36 -07:00
Kconfig ARM updates for 5.4-rc1: 2019-09-22 09:39:09 -07:00
layerscape_edac.c
Makefile ARM updates for 5.4-rc1: 2019-09-22 09:39:09 -07:00
mce_amd.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
mce_amd.h
mpc85xx_edac.c
mpc85xx_edac.h
mv64x60_edac.c
mv64x60_edac.h
octeon_edac-l2c.c
octeon_edac-lmc.c
octeon_edac-pc.c
octeon_edac-pci.c
pasemi_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 333 2019-06-05 17:37:06 +02:00
pnd2_edac.c Merge branch 'x86-cpu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-09-16 18:47:53 -07:00
pnd2_edac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
ppc4xx_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
ppc4xx_edac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441 2019-06-05 17:37:17 +02:00
qcom_edac.c EDAC, qcom_edac: Remove irq_handled local variable 2018-11-06 12:03:16 +01:00
r82600_edac.c
sb_edac.c x86/intel: Aggregate microserver naming 2019-08-28 11:29:32 +02:00
sifive_edac.c EDAC/sifive: Add EDAC platform driver for SiFive SoCs 2019-06-20 11:44:36 -07:00
skx_base.c EDAC, skx, i10nm: Fix source ID register offset 2019-06-26 10:07:27 -07:00
skx_common.c EDAC, skx, i10nm: Fix source ID register offset 2019-06-26 10:07:27 -07:00
skx_common.h EDAC, skx, i10nm: Fix source ID register offset 2019-06-26 10:07:27 -07:00
synopsys_edac.c EDAC, synopsys: Add Error Injection support for ZynqMP DDR controller 2018-11-06 10:38:27 +01:00
thunderx_edac.c EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr() 2018-10-13 13:58:06 +02:00
ti_edac.c
wq.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
x38_edac.c
xgene_edac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00