linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-20 09:31:09 +00:00

History

Nadav Amit a00ed4e5d5 x86/alternative: Fix race in try_get_desc() commit `efd608fa74` upstream. I encountered some occasional crashes of poke_int3_handler() when kprobes are set, while accessing desc->vec. The text poke mechanism claims to have an RCU-like behavior, but it does not appear that there is any quiescent state to ensure that nobody holds reference to desc. As a result, the following race appears to be possible, which can lead to memory corruption. CPU0 CPU1 ---- ---- text_poke_bp_batch() -> smp_store_release(&bp_desc, &desc) [ notice that desc is on the stack ] poke_int3_handler() [ int3 might be kprobe's so sync events are do not help ] -> try_get_desc(descp=&bp_desc) desc = __READ_ONCE(bp_desc) if (!desc) [false, success] WRITE_ONCE(bp_desc, NULL); atomic_dec_and_test(&desc.refs) [ success, desc space on the stack is being reused and might have non-zero value. ] arch_atomic_inc_not_zero(&desc->refs) [ might succeed since desc points to stack memory that was freed and might be reused. ] Fix this issue with small backportable patch. Instead of trying to make RCU-like behavior for bp_desc, just eliminate the unnecessary level of indirection of bp_desc, and hold the whole descriptor as a global. Anyhow, there is only a single descriptor at any given moment. Fixes: `1f676247f3` ("x86/alternatives: Implement a better poke_int3_handler() completion scheme") Signed-off-by: Nadav Amit <namit@vmware.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: stable@kernel.org Link: https://lkml.kernel.org/r/20220920224743.3089-1-namit@vmware.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2022-10-05 10:39:44 +02:00
..
acpi	x86: Prepare asm files for straight-line-speculation	2022-05-15 20:18:49 +02:00
apic	x86: Fix return value of __setup handlers	2022-06-09 10:22:53 +02:00
cpu	x86/sgx: Do not fail on incomplete sanitization on premature stop of ksgxd	2022-10-05 10:39:37 +02:00
fpu	x86/fpu: Prevent FPU state corruption	2022-05-12 12:30:02 +02:00
kprobes	x86/kprobes: Fix JNG/JNLE emulation	2022-08-25 11:39:57 +02:00
.gitignore
alternative.c	x86/alternative: Fix race in try_get_desc()	2022-10-05 10:39:44 +02:00
amd_gart_64.c	x86/amd_gart: don't set failed sg dma_address to DMA_MAPPING_ERROR	2021-08-09 17:13:06 +02:00
amd_nb.c	hwmon: (k10temp) Add support for yellow carp	2021-08-27 13:54:58 -07:00
aperture_64.c	memblock: make memblock_find_in_range method private	2021-09-03 09:58:17 -07:00
apm_32.c	x86: Fix various typos in comments, take #2	2021-03-21 23:50:28 +01:00
asm-offsets.c	x86/paravirt: Switch iret pvops to ALTERNATIVE	2021-03-11 19:58:54 +01:00
asm-offsets_32.c	x86/stackprotector/32: Make the canary into a regular percpu variable	2021-03-08 13:19:05 +01:00
asm-offsets_64.c	x86/xen: Drop USERGS_SYSRET64 paravirt call	2021-02-10 12:32:07 +01:00
audit_64.c
bootflag.c
cc_platform.c	x86/sev: Add an x86 version of cc_platform_has()	2021-11-18 19:17:21 +01:00
check.c
cpuid.c
crash.c	x86/crash: Remove crash_reserve_low_1M()	2021-06-07 12:14:45 +02:00
crash_core_32.c
crash_core_64.c
crash_dump_32.c
crash_dump_64.c
devicetree.c
doublefault_32.c	x86/stackprotector/32: Make the canary into a regular percpu variable	2021-03-08 13:19:05 +01:00
dumpstack.c	x86/dumpstack: use %pSb/%pBb for backtrace printing	2021-07-08 11:48:22 -07:00
dumpstack_32.c
dumpstack_64.c	x86/mm/64: Improve stack overflow warnings	2021-11-18 19:16:10 +01:00
e820.c	x86/boot: Fix memremap of setup_indirect structures	2022-03-16 14:23:45 +01:00
early-quirks.c	x86/gpu: Reserve stolen memory for first integrated Intel GPU	2022-01-27 11:02:51 +01:00
early_printk.c
ebda.c
eisa.c
espfix_64.c
ftrace.c	x86/ftrace: Use alternative RET encoding	2022-08-21 15:17:48 +02:00
ftrace_32.S	x86: Prepare asm files for straight-line-speculation	2022-05-15 20:18:49 +02:00
ftrace_64.S	x86/ibt,ftrace: Make function-graph play nice	2022-08-21 15:17:48 +02:00
head32.c
head64.c	x86: Clear .brk area at early boot	2022-07-21 21:24:40 +02:00
head_32.S	x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit	2022-07-23 12:54:12 +02:00
head_64.S	objtool: Add entry UNRET validation	2022-07-23 12:54:06 +02:00
hpet.c	rtc: Check return value from mc146818_get_time()	2022-04-13 20:59:14 +02:00
hw_breakpoint.c	x86/debug: Prevent data breakpoints on cpu_dr7	2021-02-05 20:13:12 +01:00
i8237.c
i8253.c
i8259.c	x86: Avoid magic number with ELCR register accesses	2021-08-10 23:31:43 +02:00
idt.c	X86 interrupt related changes:	2021-06-29 12:36:59 -07:00
io_delay.c
ioport.c
irq.c	x86/irq: Ensure PI wakeup handler is unregistered before module unload	2021-11-18 19:15:56 +01:00
irq_32.c	softirq: Move do_softirq_own_stack() to generic asm header	2021-02-10 23:34:16 +01:00
irq_64.c	x86/softirq/64: Inline do_softirq_own_stack()	2021-02-10 23:34:17 +01:00
irq_work.c
irqflags.S	x86: Prepare asm files for straight-line-speculation	2022-05-15 20:18:49 +02:00
irqinit.c
itmt.c
jailhouse.c
jump_label.c	jump_labels: Mark __jump_label_transform() as __always_inlined to work around aggressive compiler un-inlining	2021-07-13 06:32:05 +02:00
kdebugfs.c	x86/boot: Fix memremap of setup_indirect structures	2022-03-16 14:23:45 +01:00
kexec-bzimage64.c	x86: Use ELF fields defined in 'struct kimage'	2021-03-08 12:06:29 -07:00
kgdb.c	x86: Fix various typos in comments	2021-03-18 15:31:53 +01:00
ksysfs.c	x86/boot: Fix memremap of setup_indirect structures	2022-03-16 14:23:45 +01:00
kvm.c	x86, kvm: use proper ASM macros for kvm_vcpu_is_preempted	2022-07-02 16:41:12 +02:00
kvmclock.c	x86/kvmclock: Move this_cpu_pvti into kvmclock.h	2021-09-30 04:08:01 -04:00
ldt.c	memcg: enable accounting for ldt_struct objects	2021-09-03 09:58:13 -07:00
machine_kexec_32.c	x86/kexec: Set_[gi]dt() -> native_[gi]dt_invalidate() in machine_kexec_*.c	2021-05-21 12:36:45 +02:00
machine_kexec_64.c	x86/kexec: fix memory leak of elf header buffer	2022-06-09 10:22:29 +02:00
Makefile	x86/sev: Add an x86 version of cc_platform_has()	2021-11-18 19:17:21 +01:00
mmconf-fam10h_64.c	x86/msr: Rename MSR_K8_SYSCFG to MSR_AMD64_SYSCFG	2021-05-10 07:51:38 +02:00
module.c	x86: Undo return-thunk damage	2022-07-23 12:53:58 +02:00
mpparse.c	x86: Avoid magic number with ELCR register accesses	2021-08-10 23:31:43 +02:00
msr.c	x86/MSR: Filter MSR writes through X86_IOC_WRMSR_REGS ioctl too	2021-01-27 19:06:47 +01:00
nmi.c	x86/sev-es: Rename sev-es.{ch} to sev.{ch}	2021-05-10 07:40:27 +02:00
nmi_selftest.c
paravirt-spinlocks.c	x86/paravirt: Add new features for paravirt patching	2021-03-11 19:51:49 +01:00
paravirt.c	x86: Prepare inline-asm for straight-line-speculation	2022-05-15 20:18:50 +02:00
pci-dma.c
pci-iommu_table.c	x86: Remove definition of DEBUG	2021-01-15 08:23:10 +01:00
pci-swiotlb.c
pcspeaker.c
perf_regs.c
platform-quirks.c
pmem.c	x86/pmem: Fix platform-device leak in error path	2022-08-17 14:23:07 +02:00
probe_roms.c
process.c	x86: Handle idle=nomwait cmdline properly for x86_idle	2022-08-17 14:23:00 +02:00
process.h
process_32.c
process_64.c	x86/fpu: Add PKRU storage outside of task XSAVE buffer	2021-06-23 19:37:45 +02:00
ptrace.c	x86/ptrace: Fix xfpregs_set()'s incorrect xmm clearing	2022-03-02 11:47:47 +01:00
pvclock.c	x86: Fix various typos in comments	2021-03-18 15:31:53 +01:00
quirks.c
reboot.c	x86/mm: Flush global TLB when switching to trampoline page-table	2022-01-27 11:04:35 +01:00
reboot_fixups_32.c
relocate_kernel_32.S	x86/kexec: Disable RET on kexec	2022-07-23 12:54:11 +02:00
relocate_kernel_64.S	x86/kexec: Disable RET on kexec	2022-07-23 12:54:11 +02:00
resource.c
rtc.c
setup.c	x86/boot: Fix memremap of setup_indirect structures	2022-03-16 14:23:45 +01:00
setup_percpu.c	memblock: introduce saner 'memblock_free_ptr()' interface	2021-09-14 13:23:22 -07:00
sev-shared.c	x86/sev: Return an error on a returned non-zero SW_EXITINFO1[31:0]	2021-10-01 11:14:41 +02:00
sev.c	x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword	2021-12-08 09:04:53 +01:00
sev_verify_cbit.S	x86: Prepare asm files for straight-line-speculation	2022-05-15 20:18:49 +02:00
signal.c	Fixes and improvements for FPU handling on x86:	2021-07-07 11:12:01 -07:00
signal_compat.c	signal: Deliver SIGTRAP on perf event asynchronously if blocked	2022-06-09 10:22:48 +02:00
smp.c	x86: Fix various typos in comments, take #2	2021-03-21 23:50:28 +01:00
smpboot.c	x86/smp: Add a per-cpu view of SMT state	2021-07-28 11:42:23 +02:00
stacktrace.c	stacktrace: Move documentation for arch_stack_walk_reliable() to header	2021-03-10 15:52:31 +01:00
static_call.c	x86/static_call: Serialize __static_call_fixup() properly	2022-07-23 12:54:11 +02:00
step.c	ptrace: Reimplement PTRACE_KILL by always sending SIGKILL	2022-06-09 10:22:29 +02:00
sys_ia32.c
sys_x86_64.c	x86/mm: Cleanup the control_va_addr_alignment() __setup handler	2022-06-09 10:22:54 +02:00
tboot.c	x86/boot/tboot: Avoid Wstringop-overread-warning	2021-03-23 00:16:13 +01:00
time.c
tls.c	x86/stackprotector/32: Make the canary into a regular percpu variable	2021-03-08 13:19:05 +01:00
tls.h
topology.c	x86: Fix various typos in comments	2021-03-18 15:31:53 +01:00
trace.c	trace/osnoise: Fix 'no previous prototype' warnings	2021-06-28 14:12:26 -04:00
trace_clock.c
tracepoint.c
traps.c	x86/traps: Use pt_regs directly in fixup_bad_iret()	2022-07-23 12:53:47 +02:00
tsc.c	x86/tsc: Disable clocksource watchdog for TSC on qualified platorms	2021-12-08 09:04:56 +01:00
tsc_msr.c
tsc_sync.c	x86/tsc: Add a timer to make sure TSC_adjust is always checked	2021-12-08 09:04:56 +01:00
umip.c	x86/insn: Extend error reporting from insn_fetch_from_user[_inatomic]()	2021-06-15 11:39:30 +02:00
unwind_frame.c
unwind_guess.c
unwind_orc.c	x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry	2022-08-31 17:16:47 +02:00
uprobes.c	x86/uprobes: Convert to insn_decode()	2021-03-15 12:05:03 +01:00
verify_cpu.S	x86: Prepare asm files for straight-line-speculation	2022-05-15 20:18:49 +02:00
vm86_32.c	signal: Replace force_fatal_sig with force_exit_sig when in doubt	2021-11-25 09:49:07 +01:00
vmlinux.lds.S	x86: Add magic AMD return-thunk	2022-07-23 12:54:01 +02:00
vsmp_64.c
x86_init.c