mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/drivers
History
Jiri Pirko aa1eec2f54 net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers 
I managed to hit following use after free warning recently:

[ 2169.711665] ==================================================================
[ 2169.714009] BUG: KASAN: slab-use-after-free in __run_timers.part.0+0x179/0x4c0
[ 2169.716293] Write of size 8 at addr ffff88812b326a70 by task swapper/4/0

[ 2169.719022] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 6.8.0-rc2jiri+ #2
[ 2169.720974] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
[ 2169.722457] Call Trace:
[ 2169.722756]  <IRQ>
[ 2169.723024]  dump_stack_lvl+0x58/0xb0
[ 2169.723417]  print_report+0xc5/0x630
[ 2169.723807]  ? __virt_addr_valid+0x126/0x2b0
[ 2169.724268]  kasan_report+0xbe/0xf0
[ 2169.724667]  ? __run_timers.part.0+0x179/0x4c0
[ 2169.725116]  ? __run_timers.part.0+0x179/0x4c0
[ 2169.725570]  __run_timers.part.0+0x179/0x4c0
[ 2169.726003]  ? call_timer_fn+0x320/0x320
[ 2169.726404]  ? lock_downgrade+0x3a0/0x3a0
[ 2169.726820]  ? kvm_clock_get_cycles+0x14/0x20
[ 2169.727257]  ? ktime_get+0x92/0x150
[ 2169.727630]  ? lapic_next_deadline+0x35/0x60
[ 2169.728069]  run_timer_softirq+0x40/0x80
[ 2169.728475]  __do_softirq+0x1a1/0x509
[ 2169.728866]  irq_exit_rcu+0x95/0xc0
[ 2169.729241]  sysvec_apic_timer_interrupt+0x6b/0x80
[ 2169.729718]  </IRQ>
[ 2169.729993]  <TASK>
[ 2169.730259]  asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 2169.730755] RIP: 0010:default_idle+0x13/0x20
[ 2169.731190] Code: c0 08 00 00 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 72 ff ff ff cc cc cc cc 8b 05 9a 7f 1f 02 85 c0 7e 07 0f 00 2d cf 69 43 00 fb f4 <fa> c3 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c0 93 04 00
[ 2169.732759] RSP: 0018:ffff888100dbfe10 EFLAGS: 00000242
[ 2169.733264] RAX: 0000000000000001 RBX: ffff888100d9c200 RCX: ffffffff8241bd62
[ 2169.733925] RDX: ffffed109a848b15 RSI: 0000000000000004 RDI: ffffffff8127ac55
[ 2169.734566] RBP: 0000000000000004 R08: 0000000000000000 R09: ffffed109a848b14
[ 2169.735200] R10: ffff8884d42458a3 R11: 000000000000ba7e R12: ffffffff83d7d3a0
[ 2169.735835] R13: 1ffff110201b7fc6 R14: 0000000000000000 R15: ffff888100d9c200
[ 2169.736478]  ? ct_kernel_exit.constprop.0+0xa2/0xc0
[ 2169.736954]  ? do_idle+0x285/0x290
[ 2169.737323]  default_idle_call+0x63/0x90
[ 2169.737730]  do_idle+0x285/0x290
[ 2169.738089]  ? arch_cpu_idle_exit+0x30/0x30
[ 2169.738511]  ? mark_held_locks+0x1a/0x80
[ 2169.738917]  ? lockdep_hardirqs_on_prepare+0x12e/0x200
[ 2169.739417]  cpu_startup_entry+0x30/0x40
[ 2169.739825]  start_secondary+0x19a/0x1c0
[ 2169.740229]  ? set_cpu_sibling_map+0xbd0/0xbd0
[ 2169.740673]  secondary_startup_64_no_verify+0x15d/0x16b
[ 2169.741179]  </TASK>

[ 2169.741686] Allocated by task 1098:
[ 2169.742058]  kasan_save_stack+0x1c/0x40
[ 2169.742456]  kasan_save_track+0x10/0x30
[ 2169.742852]  __kasan_kmalloc+0x83/0x90
[ 2169.743246]  mlx5_dpll_probe+0xf5/0x3c0 [mlx5_dpll]
[ 2169.743730]  auxiliary_bus_probe+0x62/0xb0
[ 2169.744148]  really_probe+0x127/0x590
[ 2169.744534]  __driver_probe_device+0xd2/0x200
[ 2169.744973]  device_driver_attach+0x6b/0xf0
[ 2169.745402]  bind_store+0x90/0xe0
[ 2169.745761]  kernfs_fop_write_iter+0x1df/0x2a0
[ 2169.746210]  vfs_write+0x41f/0x790
[ 2169.746579]  ksys_write+0xc7/0x160
[ 2169.746947]  do_syscall_64+0x6f/0x140
[ 2169.747333]  entry_SYSCALL_64_after_hwframe+0x46/0x4e

[ 2169.748049] Freed by task 1220:
[ 2169.748393]  kasan_save_stack+0x1c/0x40
[ 2169.748789]  kasan_save_track+0x10/0x30
[ 2169.749188]  kasan_save_free_info+0x3b/0x50
[ 2169.749621]  poison_slab_object+0x106/0x180
[ 2169.750044]  __kasan_slab_free+0x14/0x50
[ 2169.750451]  kfree+0x118/0x330
[ 2169.750792]  mlx5_dpll_remove+0xf5/0x110 [mlx5_dpll]
[ 2169.751271]  auxiliary_bus_remove+0x2e/0x40
[ 2169.751694]  device_release_driver_internal+0x24b/0x2e0
[ 2169.752191]  unbind_store+0xa6/0xb0
[ 2169.752563]  kernfs_fop_write_iter+0x1df/0x2a0
[ 2169.753004]  vfs_write+0x41f/0x790
[ 2169.753381]  ksys_write+0xc7/0x160
[ 2169.753750]  do_syscall_64+0x6f/0x140
[ 2169.754132]  entry_SYSCALL_64_after_hwframe+0x46/0x4e

[ 2169.754847] Last potentially related work creation:
[ 2169.755315]  kasan_save_stack+0x1c/0x40
[ 2169.755709]  __kasan_record_aux_stack+0x9b/0xf0
[ 2169.756165]  __queue_work+0x382/0x8f0
[ 2169.756552]  call_timer_fn+0x126/0x320
[ 2169.756941]  __run_timers.part.0+0x2ea/0x4c0
[ 2169.757376]  run_timer_softirq+0x40/0x80
[ 2169.757782]  __do_softirq+0x1a1/0x509

[ 2169.758387] Second to last potentially related work creation:
[ 2169.758924]  kasan_save_stack+0x1c/0x40
[ 2169.759322]  __kasan_record_aux_stack+0x9b/0xf0
[ 2169.759773]  __queue_work+0x382/0x8f0
[ 2169.760156]  call_timer_fn+0x126/0x320
[ 2169.760550]  __run_timers.part.0+0x2ea/0x4c0
[ 2169.760978]  run_timer_softirq+0x40/0x80
[ 2169.761381]  __do_softirq+0x1a1/0x509

[ 2169.761998] The buggy address belongs to the object at ffff88812b326a00
                which belongs to the cache kmalloc-256 of size 256
[ 2169.763061] The buggy address is located 112 bytes inside of
                freed 256-byte region [ffff88812b326a00, ffff88812b326b00)

[ 2169.764346] The buggy address belongs to the physical page:
[ 2169.764866] page:000000000f2b1e89 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12b324
[ 2169.765731] head:000000000f2b1e89 order:2 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 2169.766484] anon flags: 0x200000000000840(slab|head|node=0|zone=2)
[ 2169.767048] page_type: 0xffffffff()
[ 2169.767422] raw: 0200000000000840 ffff888100042b40 0000000000000000 dead000000000001
[ 2169.768183] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
[ 2169.768899] page dumped because: kasan: bad access detected

[ 2169.769649] Memory state around the buggy address:
[ 2169.770116]  ffff88812b326900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2169.770805]  ffff88812b326980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2169.771485] >ffff88812b326a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2169.772173]                                                              ^
[ 2169.772787]  ffff88812b326a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2169.773477]  ffff88812b326b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2169.774160] ==================================================================
[ 2169.774845] ==================================================================

I didn't manage to reproduce it. Though the issue seems to be obvious.
There is a chance that the mlx5_dpll_remove() calls
cancel_delayed_work() when the work runs and manages to re-arm itself.
In that case, after delay timer triggers next attempt to queue it,
it works with freed memory.

Fix this by using cancel_delayed_work_sync() instead which makes sure
that work is done when it returns.

Fixes: 496fd0a26b ("mlx5: Implement SyncE support using DPLL infrastructure")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240206164328.360313-1-jiri@resnulli.us
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2024-02-08 18:32:23 -08:00
..
accel accel/ivpu: Improve recovery and reset support 2024-01-25 10:17:37 +01:00
accessibility
acpi cxl for v6.8 2024-01-18 16:22:43 -08:00
amba
android binder: signal epoll threads of self-work 2024-01-31 14:08:28 -08:00
ata ahci: Extend ASM1061 43-bit DMA address quirk to other ASM106x parts 2024-01-31 12:09:34 +01:00
atm atm: idt77252: fix a memleak in open_card_ubr0 2024-02-03 12:46:13 +00:00
auxdisplay drm-next for 6.8: 2024-01-12 11:32:19 -08:00
base RTC for 6.8 2024-01-18 17:25:39 -08:00
bcma
block block-6.8-2024-01-26 2024-01-26 15:19:43 -08:00
bluetooth USB / Thunderbolt changes for 6.8-rc1 2024-01-18 11:43:55 -08:00
bus Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
cache
cdrom
cdx cdx: Unlock on error path in rescan_store() 2024-01-04 17:01:14 +01:00
char TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
clk clk: qcom: gcc-x1e80100: Replace of_device.h with explicit includes 2024-01-19 08:17:28 -06:00
clocksource clocksource/drivers/ep93xx: Fix error handling during probe 2023-12-27 15:37:11 +01:00
comedi
connector Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-01-04 18:06:46 -08:00
counter
cpufreq cpufreq/amd-pstate: Fix setting scaling max/min freq values 2024-01-22 20:35:58 +01:00
cpuidle cpuidle: haltpoll: Do not enable interrupts when entering idle 2023-12-29 18:08:18 +01:00
crypto crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked 2024-02-02 18:08:12 +08:00
cxl cxl/region:Fix overflow issue in alloc_hpa() 2024-01-24 21:03:03 -08:00
dax New code for 6.8: 2024-01-10 08:45:22 -08:00
dca
devfreq
dio
dma dmaengine: at_hdmac: add missing kernel-doc style description 2024-02-02 17:16:55 +01:00
dma-buf dma-buf: heaps: Don't track CMA dma-buf pages under RssFile 2024-01-31 19:54:58 +05:30
dpll dpll: fix possible deadlock during netlink dump operation 2024-02-08 18:29:21 -08:00
edac Driver core changes for 6.8-rc1 2024-01-18 09:48:40 -08:00
eisa
extcon
firewire firewire: core: search descriptor leaf just after vendor directory entry in root directory 2024-02-01 20:53:18 +09:00
firmware drm fixes for 6.8-rc2 2024-01-26 13:52:18 -08:00
fpga Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
fsi
gnss TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
gpio gpio: eic-sprd: Clear interrupt after set the interrupt type 2024-01-22 11:38:08 +01:00
gpu drm fixes for 6.8-rc3 2024-02-02 12:54:46 -08:00
greybus TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
hid HID: bpf: use __bpf_kfunc instead of noinline 2024-01-31 10:27:08 +01:00
hsi
hte
hv
hwmon hwmon: (pmbus/mp2975) Correct comment inside 'mp2975_read_byte_data' 2024-01-27 08:03:18 -08:00
hwspinlock
hwtracing
i2c This cycle, I2C removes the currently unused CLASS_DDC support 2024-01-18 17:29:01 -08:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-01-08 00:51:36 +01:00
idle Power management updates for 6.8-rc1 2024-01-09 16:32:11 -08:00
iio TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
infiniband RDMA v6.8 merge window 2024-01-12 13:52:21 -08:00
input Input updates for v6.8-rc2 2024-02-02 12:52:44 -08:00
interconnect Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
iommu iommu: Allow ops->default_domain to work when !CONFIG_IOMMU_DMA 2024-02-01 13:16:17 +01:00
ipack TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
irqchip header cleanups for 6.8 2024-01-10 16:43:55 -08:00
isdn
leds - New Drivers 2024-01-17 15:25:27 -08:00
macintosh
mailbox mediatek: add CMDQ support for mt8188 2024-01-17 15:39:32 -08:00
mcb
md dm-crypt, dm-verity: disable tasklets 2024-02-02 12:33:50 -05:00
media media: vb2: refactor setting flags and caps, fix missing cap 2024-01-24 17:27:51 +01:00
memory IOMMU Updates for Linux v6.8 2024-01-18 15:16:57 -08:00
memstick
message
mfd TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
misc misc: open-dice: Fix spurious lockdep warning 2024-01-30 16:20:54 -08:00
mmc TTY/Serial changes for 6.8-rc1 2024-01-18 11:37:24 -08:00
most
mtd This pull request contains updates for UBI and UBIFS: 2024-01-17 10:27:13 -08:00
mux mux: mmio: use reg property when parent device is not a syscon 2024-01-04 17:01:14 +01:00
net net/mlx5: DPLL, Fix possible use after free after delayed work timer triggers 2024-02-08 18:32:23 -08:00
nfc
ntb
nubus nubus: Make nubus_bus_type static and constant 2024-01-03 13:33:59 +01:00
nvdimm virtio: features, fixes 2024-01-18 16:44:03 -08:00
nvme nvme: allow passthru cmd error logging 2024-02-01 07:44:53 -08:00
nvmem Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
of IOMMU Updates for Linux v6.8 2024-01-18 15:16:57 -08:00
opp OPP: Rename 'rate_clk_single' 2024-01-05 15:55:41 +05:30
parisc parisc/power: Fix power soft-off button emulation on qemu 2024-01-07 22:59:16 +01:00
parport
pci PCI/ASPM: Fix deadlock when enabling ASPM 2024-01-31 09:03:51 -06:00
pcmcia
peci
perf ACPI updates for 6.8-rc1 2024-01-09 16:12:44 -08:00
phy phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP 2024-01-30 22:41:11 +05:30
pinctrl pinctrl: amd: Add IRQF_ONESHOT to the interrupt request 2024-01-31 10:06:07 +01:00
platform platform/x86: touchscreen_dmi: Add info for the TECLAST X16 Plus tablet 2024-01-26 20:21:47 +01:00
pmdomain Driver core changes for 6.8-rc1 2024-01-18 09:48:40 -08:00
pnp More ACPI updates for 6.8-rc1 2024-01-17 14:37:40 -08:00
power Revert "power: supply: qcom_battmgr: Register the power supplies after PDR is up" 2024-01-26 22:45:58 +01:00
powercap
pps
ps3
ptp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-01-04 18:06:46 -08:00
pwm pwm: jz4740: Don't use dev_err_probe() in .request() 2024-01-12 18:25:05 +01:00
rapidio
ras
regulator regulator (max5970): Fix IRQ handler 2024-01-30 15:27:16 +00:00
remoteproc
reset SoC: driver updates for 6.8 2024-01-11 11:31:46 -08:00
rpmsg
rtc rtc: nuvoton: Compatible with NCT3015Y-R and NCT3018Y-R 2024-01-18 01:05:33 +01:00
s390 s390/qeth: Fix potential loss of L3-IP@ in case of network issues 2024-02-08 12:10:09 +01:00
sbus
scsi scsi: storvsc: Fix ring buffer size calculation 2024-01-23 21:27:28 -05:00
sh maple: make maple_bus_type static and const 2024-01-04 14:37:17 +01:00
siox
slimbus
soc soc: apple: mailbox: error pointers are negative integers 2024-01-30 11:34:49 -08:00
soundwire soundwire updates for 6.7 2024-01-18 17:08:31 -08:00
spi spi: sh-msiof: avoid integer overflow in constants 2024-01-30 15:27:21 +00:00
spmi
ssb
staging This cycle, I2C removes the currently unused CLASS_DDC support 2024-01-18 17:29:01 -08:00
target SCSI misc on 20240120 2024-01-20 09:42:32 -08:00
tc
tee Another moderately busy cycle for documentation, including: 2024-01-11 19:46:52 -08:00
thermal thermal: intel: powerclamp: Remove dead code for target mwait value 2024-01-22 11:59:22 +01:00
thunderbolt USB / Thunderbolt changes for 6.8-rc1 2024-01-18 11:43:55 -08:00
tty serial: max310x: prevent infinite while() loop in port startup 2024-01-27 19:09:10 -08:00
ufs SCSI misc on 20240120 2024-01-20 09:42:32 -08:00
uio uio: Fix use-after-free in uio_open 2024-01-04 17:03:47 +01:00
usb USB-serial device ids for 6.8-rc3 2024-02-02 08:36:38 -08:00
vdpa virtio: features, fixes 2024-01-18 16:44:03 -08:00
vfio VFIO updates for v6.8-rc1 2024-01-18 15:57:25 -08:00
vhost virtio: features, fixes 2024-01-18 16:44:03 -08:00
video fbdev: stifb: Fix crash in stifb_blank() 2024-01-23 09:13:24 +01:00
virt Char/Misc and other Driver changes for 6.8-rc1 2024-01-17 16:47:17 -08:00
virtio virtio: features, fixes 2024-01-18 16:44:03 -08:00
w1
watchdog linux-watchdog 6.8-rc1 tag 2024-01-12 13:32:30 -08:00
xen xen: branch for v6.8-rc1 2024-01-17 13:41:38 -08:00
zorro
Kconfig
Makefile fbdev/intelfb: Remove driver 2024-01-12 12:38:37 +01:00