mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers/s390/crypto
History
Harald Freudenberger 394b6d8bbd s390/zcrypt: fix reference counting on zcrypt card objects 
[ Upstream commit 50ed48c80f ]

Tests with hot-plugging crytpo cards on KVM guests with debug
kernel build revealed an use after free for the load field of
the struct zcrypt_card. The reason was an incorrect reference
handling of the zcrypt card object which could lead to a free
of the zcrypt card object while it was still in use.

This is an example of the slab message:

    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b
    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43
    kernel:  kmalloc_trace+0x3f2/0x470
    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]
    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]
    kernel:  ap_device_probe+0x15c/0x290
    kernel:  really_probe+0xd2/0x468
    kernel:  driver_probe_device+0x40/0xf0
    kernel:  __device_attach_driver+0xc0/0x140
    kernel:  bus_for_each_drv+0x8c/0xd0
    kernel:  __device_attach+0x114/0x198
    kernel:  bus_probe_device+0xb4/0xc8
    kernel:  device_add+0x4d2/0x6e0
    kernel:  ap_scan_adapter+0x3d0/0x7c0
    kernel:  ap_scan_bus+0x5a/0x3b0
    kernel:  ap_scan_bus_wq_callback+0x40/0x60
    kernel:  process_one_work+0x26e/0x620
    kernel:  worker_thread+0x21c/0x440
    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43
    kernel:  kfree+0x37e/0x418
    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]
    kernel:  ap_device_remove+0x4c/0xe0
    kernel:  device_release_driver_internal+0x1c4/0x270
    kernel:  bus_remove_device+0x100/0x188
    kernel:  device_del+0x164/0x3c0
    kernel:  device_unregister+0x30/0x90
    kernel:  ap_scan_adapter+0xc8/0x7c0
    kernel:  ap_scan_bus+0x5a/0x3b0
    kernel:  ap_scan_bus_wq_callback+0x40/0x60
    kernel:  process_one_work+0x26e/0x620
    kernel:  worker_thread+0x21c/0x440
    kernel:  kthread+0x150/0x168
    kernel:  __ret_from_fork+0x3c/0x58
    kernel:  ret_from_fork+0xa/0x30
    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)
    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88
    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........
    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.
    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........
    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2
    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)
    kernel: Call Trace:
    kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120
    kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140
    kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8
    kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8
    kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0
    kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8
    kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8
    kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590
    kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0
    kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0
    kernel:  [<00000000c9b919dc>] ext4_htree_fill_tree+0x134/0x400
    kernel:  [<00000000c9b4b3d0>] ext4_dx_readdir+0x160/0x2f0
    kernel:  [<00000000c9b4bedc>] ext4_readdir+0x5f4/0x760
    kernel:  [<00000000c9a7efc4>] iterate_dir+0xb4/0x280
    kernel:  [<00000000c9a7f1ea>] __do_sys_getdents64+0x5a/0x120
    kernel:  [<00000000ca5d6946>] __do_syscall+0x256/0x310
    kernel:  [<00000000ca5eea10>] system_call+0x70/0x98
    kernel: INFO: lockdep is turned off.
    kernel: FIX kmalloc-96: Restoring Poison 0x00000000885a7512-0x00000000885a7513=0x6b
    kernel: FIX kmalloc-96: Marking all objects used

The fix is simple: Before use of the queue not only the queue object
but also the card object needs to increase it's reference count
with a call to zcrypt_card_get(). Similar after use of the queue
not only the queue but also the card object's reference count is
decreased with zcrypt_card_put().

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2024-04-03 15:32:21 +02:00
..
Makefile s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
ap_bus.c s390/ap: handle outband SE bind state change 2023-11-30 16:24:23 +01:00
ap_bus.h s390/ap: handle outband SE bind state change 2023-11-30 16:24:23 +01:00
ap_card.c s390/ap: store TAPQ hwinfo in struct ap_card 2023-11-30 16:24:23 +01:00
ap_debug.h s390/zcrypt: rework of debug feature messages 2021-10-26 15:21:27 +02:00
ap_queue.c s390/ap: handle outband SE bind state change 2023-11-30 16:24:23 +01:00
pkey_api.c s390/zcrypt_ep11misc: support API ordinal 6 with empty pin-blob 2023-08-18 15:07:57 +02:00
vfio_ap_debug.h s390-vfio-ap: introduces s390 kernel debug feature for vfio_ap device driver 2022-02-06 23:31:29 +01:00
vfio_ap_drv.c s390 updates for the 6.4 merge window 2023-04-30 11:43:31 -07:00
vfio_ap_ops.c s390/vfio-ap: do not reset queue removed from host config 2024-01-17 13:53:06 +01:00
vfio_ap_private.h s390/vfio-ap: reset queues filtered from the guest's AP config 2024-01-17 13:53:05 +01:00
zcrypt_api.c s390/zcrypt: fix reference counting on zcrypt card objects 2024-04-03 15:32:21 +02:00
zcrypt_api.h s390/zcrypt: cleanup some debug code 2023-07-03 11:19:41 +02:00
zcrypt_card.c s390/zcrypt: don't report online if card or queue is in check-stop state 2023-11-05 22:34:57 +01:00
zcrypt_cca_key.h s390/zcrypt: rework arrays with length zero occurrences 2023-04-19 16:47:31 +02:00
zcrypt_ccamisc.c s390: fix various typos 2023-07-03 11:19:42 +02:00
zcrypt_ccamisc.h s390: fix various typos 2023-07-03 11:19:42 +02:00
zcrypt_cex2a.c s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
zcrypt_cex2a.h s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
zcrypt_cex2c.c s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
zcrypt_cex2c.h s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
zcrypt_cex4.c s390/ap: store TAPQ hwinfo in struct ap_card 2023-11-30 16:24:23 +01:00
zcrypt_cex4.h
zcrypt_debug.h s390/zcrypt: rework of debug feature messages 2021-10-26 15:21:27 +02:00
zcrypt_ep11misc.c s390/zcrypt_ep11misc: support API ordinal 6 with empty pin-blob 2023-08-18 15:07:57 +02:00
zcrypt_ep11misc.h s390/zcrypt_ep11misc: support API ordinal 6 with empty pin-blob 2023-08-18 15:07:57 +02:00
zcrypt_error.h s390/ap: show APFS value on error reply 0x8B 2023-10-16 13:04:09 +02:00
zcrypt_msgtype6.c s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
zcrypt_msgtype6.h s390/zcrypt: code cleanup 2022-04-25 13:54:14 +02:00
zcrypt_msgtype50.c s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
zcrypt_msgtype50.h s390/zcrypt: remove CEX2 and CEX3 device drivers 2023-07-24 12:12:22 +02:00
zcrypt_queue.c s390/zcrypt: don't report online if card or queue is in check-stop state 2023-11-05 22:34:57 +01:00