mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 22:02:02 +00:00
Code Issues Releases Wiki Activity
linux-stable/lib
History
Jinjie Ruan 9acb294ebd kunit: Fix wild-memory-access bug in kunit_free_suite_set() 
[ Upstream commit 2810c1e998 ]

Inject fault while probing kunit-example-test.ko, if kstrdup()
fails in mod_sysfs_setup() in load_module(), the mod->state will
switch from MODULE_STATE_COMING to MODULE_STATE_GOING instead of
from MODULE_STATE_LIVE to MODULE_STATE_GOING, so only
kunit_module_exit() will be called without kunit_module_init(), and
the mod->kunit_suites is no set correctly and the free in
kunit_free_suite_set() will cause below wild-memory-access bug.

The mod->state state machine when load_module() succeeds:

MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_LIVE
	 ^						|
	 |						| delete_module
	 +---------------- MODULE_STATE_GOING <---------+

The mod->state state machine when load_module() fails at
mod_sysfs_setup():

MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_GOING
	^						|
	|						|
	+-----------------------------------------------+

Call kunit_module_init() at MODULE_STATE_COMING state to fix the issue
because MODULE_STATE_LIVE is transformed from it.

 Unable to handle kernel paging request at virtual address ffffff341e942a88
 KASAN: maybe wild-memory-access in range [0x0003f9a0f4a15440-0x0003f9a0f4a15447]
 Mem abort info:
   ESR = 0x0000000096000004
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x04: level 0 translation fault
 Data abort info:
   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
 swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000441ea000
 [ffffff341e942a88] pgd=0000000000000000, p4d=0000000000000000
 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
 Modules linked in: kunit_example_test(-) cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
 CPU: 3 PID: 2035 Comm: modprobe Tainted: G        W        N 6.5.0-next-20230828+ #136
 Hardware name: linux,dummy-virt (DT)
 pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : kfree+0x2c/0x70
 lr : kunit_free_suite_set+0xcc/0x13c
 sp : ffff8000829b75b0
 x29: ffff8000829b75b0 x28: ffff8000829b7b90 x27: 0000000000000000
 x26: dfff800000000000 x25: ffffcd07c82a7280 x24: ffffcd07a50ab300
 x23: ffffcd07a50ab2e8 x22: 1ffff00010536ec0 x21: dfff800000000000
 x20: ffffcd07a50ab2f0 x19: ffffcd07a50ab2f0 x18: 0000000000000000
 x17: 0000000000000000 x16: 0000000000000000 x15: ffffcd07c24b6764
 x14: ffffcd07c24b63c0 x13: ffffcd07c4cebb94 x12: ffff700010536ec7
 x11: 1ffff00010536ec6 x10: ffff700010536ec6 x9 : dfff800000000000
 x8 : 00008fffefac913a x7 : 0000000041b58ab3 x6 : 0000000000000000
 x5 : 1ffff00010536ec5 x4 : ffff8000829b7628 x3 : dfff800000000000
 x2 : ffffff341e942a80 x1 : ffffcd07a50aa000 x0 : fffffc0000000000
 Call trace:
  kfree+0x2c/0x70
  kunit_free_suite_set+0xcc/0x13c
  kunit_module_notify+0xd8/0x360
  blocking_notifier_call_chain+0xc4/0x128
  load_module+0x382c/0x44a4
  init_module_from_file+0xd4/0x128
  idempotent_init_module+0x2c8/0x524
  __arm64_sys_finit_module+0xac/0x100
  invoke_syscall+0x6c/0x258
  el0_svc_common.constprop.0+0x160/0x22c
  do_el0_svc+0x44/0x5c
  el0_svc+0x38/0x78
  el0t_64_sync_handler+0x13c/0x158
  el0t_64_sync+0x190/0x194
 Code: aa0003e1 b25657e0 d34cfc42 8b021802 (f9400440)
 ---[ end trace 0000000000000000 ]---
 Kernel panic - not syncing: Oops: Fatal exception
 SMP: stopping secondary CPUs
 Kernel Offset: 0x4d0742200000 from 0xffff800080000000
 PHYS_OFFSET: 0xffffee43c0000000
 CPU features: 0x88000203,3c020000,1000421b
 Memory Limit: none
 Rebooting in 1 seconds..

Fixes: 3d6e446238 ("kunit: unify module and builtin suite definitions")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Reviewed-by: Rae Moar <rmoar@google.com>
Reviewed-by: David Gow <davidgow@google.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-09-19 12:28:08 +02:00
..
842
crypto crypto: lib - remove unneeded selection of XOR_BLOCKS 2022-08-26 18:40:14 +08:00
dim linux/dim: Do nothing if no time delta between samples 2023-05-24 17:32:31 +01:00
fonts lib/fonts: fix undefined behavior in bit shift for get_default_font 2022-12-31 13:31:56 +01:00
kunit kunit: Fix wild-memory-access bug in kunit_free_suite_set() 2023-09-19 12:28:08 +02:00
livepatch
lz4 lib: make LZ4_decompress_safe_forceExtDict() static 2022-07-17 17:31:39 -07:00
lzo lib/lzo/lzo1x_compress.c: replace ternary operator with min() and min_t() 2022-07-29 18:12:34 -07:00
math
mpi lib/mpi: Fix buffer overrun when SG is too long 2023-03-10 09:32:52 +01:00
pldmfw
raid6
reed_solomon treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
test_fortify
vdso lib/vdso: use "grep -E" instead of "egrep" 2022-11-23 19:50:15 +01:00
xz
zlib_deflate
zlib_dfltcc zlib: move EXPORT_SYMBOL() and MODULE_LICENSE() out of dfltcc_syms.c 2020-12-29 15:36:49 -08:00
zlib_inflate
zstd zstd: Fix definition of assert() 2023-04-06 12:10:38 +02:00
.gitignore
argv_split.c
ashldi3.c
ashrdi3.c
asn1_decoder.c
asn1_encoder.c
assoc_array.c
atomic64.c
atomic64_test.c
audit.c
base64.c lib/base64: RFC4648-compliant base64 encoding 2022-08-02 17:14:47 -06:00
bcd.c
bch.c
bitfield_kunit.c
bitmap.c lib/bitmap: drop optimization of bitmap_{from,to}_arr64 2023-07-19 16:21:58 +02:00
bitrev.c
bootconfig-data.S
bootconfig.c
bsearch.c
btree.c
bucket_locks.c
bug.c cpuidle: lib/bug: Disable rcu_is_watching() during WARN/BUG 2023-03-10 09:33:47 +01:00
build_OID_registry
buildid.c
bust_spinlocks.c kernel/panic: Drop unblank_screen call 2022-09-01 16:55:35 +02:00
check_signature.c
checksum.c
clz_ctz.c lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels 2023-08-30 16:11:08 +02:00
clz_tab.c
cmdline.c lib/cmdline: avoid page fault in next_arg 2022-09-11 21:55:06 -07:00
cmdline_kunit.c treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
cmpdi2.c
compat_audit.c
cpu_rmap.c lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() 2023-06-14 11:15:22 +02:00
cpumask.c lib/find_bit: add find_next{,_and}_bit_wrap 2022-10-01 10:22:57 -07:00
cpumask_kunit.c lib/test_cpumask: Add for_each_cpu_and(not) tests 2022-10-06 05:57:36 -07:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc4.c
crc7.c
crc8.c
crc16.c
crc32.c
crc32defs.h
crc32test.c
crc64-rocksoft.c
crc64.c
ctype.c
debug_info.c
debug_locks.c
debugobjects.c debugobjects: Recheck debug_objects_enabled before reporting 2023-08-11 12:08:23 +02:00
dec_and_lock.c
decompress.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlz4.c
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c
decompress_unzstd.c
devmem_is_allowed.c
devres.c devres: remove devm_ioremap_np 2022-09-01 18:04:43 +02:00
digsig.c
dump_stack.c
dynamic_debug.c dyndbg: add drm.debug style (drm/parameters/debug) bitmap support 2022-09-07 17:04:49 +02:00
dynamic_queue_limits.c
earlycpio.c lib: move from strlcpy with unused retval to strscpy 2022-09-11 21:55:10 -07:00
errname.c printf: fix errname.c list 2023-03-10 09:33:27 +01:00
error-inject.c lib/error-inject: traverse list with mutex 2022-07-17 17:31:38 -07:00
errseq.c
extable.c
fault-inject-usercopy.c
fault-inject.c mm: fix unexpected changes to {failslab|fail_page_alloc}.attr 2022-11-22 18:50:44 -08:00
fdt.c
fdt_addresses.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c lib/find_bit: Introduce find_next_andnot_bit() 2022-10-06 05:57:36 -07:00
find_bit_benchmark.c treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
flex_proportions.c flex_proportions: Disable preemption entering the write section. 2022-09-19 14:35:08 +02:00
fortify_kunit.c fortify: Adjust KUnit test for modular build 2022-09-14 07:04:15 -07:00
gen_crc32table.c
gen_crc64table.c
genalloc.c
generic-radix-tree.c
glob.c
globtest.c
hexdump.c
hweight.c
idr.c idr: fix param name in idr_alloc_cyclic() doc 2023-09-19 12:28:03 +02:00
inflate.c
interval_tree.c
interval_tree_test.c
iomap.c kmsan: add iomap support 2022-10-03 14:03:21 -07:00
iomap_copy.c
iommu-helper.c
iov_iter.c instrumented.h: allow instrumenting both sides of copy_from_user() 2022-10-03 14:03:18 -07:00
irq_poll.c
irq_regs.c
is_signed_type_kunit.c lib: Improve the is_signed_type() kunit test 2022-09-07 16:37:27 -07:00
is_single_threaded.c
kasprintf.c
Kconfig This update includes the following changes: 2022-10-10 13:04:25 -07:00
Kconfig.debug test_kprobes: Fix implicit declaration error of test_kprobes 2023-01-07 11:11:55 +01:00
Kconfig.kasan kasan: drop CONFIG_KASAN_TAGS_IDENTIFY 2022-10-03 14:02:57 -07:00
Kconfig.kcsan
Kconfig.kfence
Kconfig.kgdb parisc: Convert PDC console to an early console 2022-10-11 12:01:24 +02:00
Kconfig.kmsan kmsan: make sure PREEMPT_RT is off 2022-11-08 15:57:24 -08:00
Kconfig.ubsan ubsan: disable UBSAN_DIV_ZERO for clang 2022-07-14 15:45:26 -07:00
kfifo.c
klist.c
kobject.c kobject: Fix slab-out-of-bounds in fill_kobj_path() 2023-03-10 09:33:30 +01:00
kobject_uevent.c
kstrtox.c
kstrtox.h
libcrc32c.c
linear_ranges.c
list-test.c
list_debug.c
list_sort.c
llist.c llist: use try_cmpxchg in llist_add_batch and llist_del_first 2022-09-11 21:55:06 -07:00
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-rtmutex.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c
lockref.c lockref: stop doing cpu_relax in the cmpxchg loop 2023-02-01 08:34:34 +01:00
logic_iomem.c
logic_pio.c
lru_cache.c lib/lru_cache: fix error free handing in lc_create 2022-07-17 17:31:37 -07:00
lshrdi3.c
Makefile lib/bitmap: workaround const_eval test build failure 2023-08-11 12:08:10 +02:00
maple_tree.c maple_tree: disable mas_wr_append() when other readers are possible 2023-08-30 16:11:13 +02:00
memcat_p.c
memcpy_kunit.c kunit/memcpy: Avoid pathological compile-time string size 2022-09-07 16:37:48 -07:00
memory-notifier-error-inject.c
memregion.c
memweight.c
muldi3.c
net_utils.c
netdev-notifier-error-inject.c
nlattr.c netlink: prevent potential spectre v1 gadgets 2023-02-01 08:34:43 +01:00
nmi_backtrace.c
notifier-error-inject.c lib/notifier-error-inject: fix error when writing -errno to debugfs file 2022-12-31 13:31:58 +01:00
notifier-error-inject.h
objagg.c
of-reconfig-notifier-error-inject.c
oid_registry.c
once.c once: rename _SLOW to _SLEEPABLE 2022-10-03 17:34:32 -07:00
overflow_kunit.c overflow: Refactor test skips for Clang-specific issues 2022-10-25 14:57:42 -07:00
packing.c
parman.c
parser.c
pci_iomap.c
percpu-refcount.c
percpu_counter.c
percpu_test.c
plist.c
pm-notifier-error-inject.c
polynomial.c
radix-tree.c radix tree: remove unused variable 2023-08-30 16:11:08 +02:00
random32.c treewide: use get_random_bytes() when possible 2022-10-11 17:42:58 -06:00
ratelimit.c ratelimit: Fix data-races in ___ratelimit(). 2022-08-24 13:46:57 +01:00
rbtree.c
rbtree_test.c
ref_tracker.c
refcount.c
rhashtable.c
sbitmap.c sbitmap: Try each queue to wake up at least one waiter 2023-03-10 09:34:34 +01:00
scatterlist.c lib/scatterlist: use matched parameter type when calling __sg_free_table() 2022-07-17 17:31:39 -07:00
seq_buf.c
sg_pool.c lib/sg_pool: change module_init(sg_pool_init) to subsys_initcall 2022-09-23 16:46:19 +02:00
sg_split.c
show_mem.c mm: reduce noise in show_mem for lowmem allocations 2022-09-26 19:46:29 -07:00
siphash.c
slub_kunit.c
smp_processor_id.c lib/smp_processor_id: fix imbalanced instrumentation_end() call 2022-07-17 17:31:41 -07:00
sort.c
stackdepot.c stackdepot: reserve 5 extra bits in depot_stack_handle_t 2022-10-03 14:03:18 -07:00
stackinit_kunit.c lib: stackinit: update reference to kunit-tool 2022-09-30 13:21:22 -06:00
stmp_device.c
string.c kmsan: disable strscpy() optimization under KMSAN 2022-10-03 14:03:22 -07:00
string_helpers.c lib/string_helpers: Introduce parse_int_array_user() 2022-09-05 14:51:46 +01:00
strncpy_from_user.c
strnlen_user.c
syscall.c
test-kstrtox.c
test-string_helpers.c treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
test_bitmap.c lib/bitmap: workaround const_eval test build failure 2023-08-11 12:08:10 +02:00
test_bitops.c
test_bits.c
test_blackhole_dev.c
test_bpf.c
test_debug_virtual.c
test_dynamic_debug.c dyndbg: test DECLARE_DYNDBG_CLASSMAP, sysfs nodes 2022-09-07 17:04:49 +02:00
test_firmware.c test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation 2023-08-03 10:24:19 +02:00
test_fprobe.c treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
test_fpu.c
test_free_pages.c lib/test_free_pages.c: pass a pointer to virt_to_page() 2022-07-17 17:14:36 -07:00
test_hash.c
test_hexdump.c treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
test_hmm.c hmm-tests: add test for migrate_device_range() 2022-10-12 18:51:50 -07:00
test_hmm_uapi.h hmm-tests: add test for migrate_device_range() 2022-10-12 18:51:50 -07:00
test_ida.c
test_kmod.c
test_kprobes.c treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
test_linear_ranges.c
test_list_sort.c treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
test_lockup.c
test_maple_tree.c maple_tree: fix 32 bit mas_next testing 2023-08-03 10:23:55 +02:00
test_memcat_p.c
test_meminit.c lib/test_meminit: allocate pages up to order MAX_ORDER 2023-09-19 12:27:57 +02:00
test_min_heap.c treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
test_module.c
test_objagg.c treewide: use get_random_bytes() when possible 2022-10-11 17:42:58 -06:00
test_parman.c
test_printf.c lib/test_printf.c: fix clang -Wformat warnings 2022-07-28 10:38:30 +02:00
test_ref_tracker.c
test_rhashtable.c rhashtable: make test actually random 2022-10-26 13:39:09 +01:00
test_scanf.c lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix() 2023-09-19 12:28:05 +02:00
test_siphash.c
test_sort.c
test_static_key_base.c
test_static_keys.c
test_string.c
test_strscpy.c
test_sysctl.c
test_ubsan.c
test_user_copy.c
test_uuid.c
test_vmalloc.c treewide: use get_random_{u8,u16}() when possible, part 2 2022-10-11 17:42:58 -06:00
test_xarray.c
textsearch.c
timerqueue.c
trace_readwrite.c
ts_bm.c lib/ts_bm: reset initial match offset for every block of text 2023-07-19 16:21:13 +02:00
ts_fsm.c
ts_kmp.c
ubsan.c panic: Consolidate open-coded panic_on_warn checks 2023-01-24 07:24:41 +01:00
ubsan.h
ucmpdi2.c
ucs2_string.c
usercopy.c uaccess: Add speculation barrier to copy_from_user() 2023-02-25 11:25:41 +01:00
uuid.c treewide: use get_random_bytes() when possible 2022-10-11 17:42:58 -06:00
vsprintf.c printk changes for 6.1 2022-10-10 11:24:19 -07:00
win_minmax.c
xarray.c XArray: Do not return sibling entries from xa_load() 2023-09-13 09:43:00 +02:00
xxhash.c