superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Harald Freudenberger 50ed48c80f s390/zcrypt: fix reference counting on zcrypt card objects 
Tests with hot-plugging crytpo cards on KVM guests with debug
kernel build revealed an use after free for the load field of
the struct zcrypt_card. The reason was an incorrect reference
handling of the zcrypt card object which could lead to a free
of the zcrypt card object while it was still in use.

This is an example of the slab message:

    kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b
    kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43
    kernel:  kmalloc_trace+0x3f2/0x470
    kernel:  zcrypt_card_alloc+0x36/0x70 [zcrypt]
    kernel:  zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]
    kernel:  ap_device_probe+0x15c/0x290
    kernel:  really_probe+0xd2/0x468
    kernel:  driver_probe_device+0x40/0xf0
    kernel:  __device_attach_driver+0xc0/0x140
    kernel:  bus_for_each_drv+0x8c/0xd0
    kernel:  __device_attach+0x114/0x198
    kernel:  bus_probe_device+0xb4/0xc8
    kernel:  device_add+0x4d2/0x6e0
    kernel:  ap_scan_adapter+0x3d0/0x7c0
    kernel:  ap_scan_bus+0x5a/0x3b0
    kernel:  ap_scan_bus_wq_callback+0x40/0x60
    kernel:  process_one_work+0x26e/0x620
    kernel:  worker_thread+0x21c/0x440
    kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43
    kernel:  kfree+0x37e/0x418
    kernel:  zcrypt_card_put+0x54/0x80 [zcrypt]
    kernel:  ap_device_remove+0x4c/0xe0
    kernel:  device_release_driver_internal+0x1c4/0x270
    kernel:  bus_remove_device+0x100/0x188
    kernel:  device_del+0x164/0x3c0
    kernel:  device_unregister+0x30/0x90
    kernel:  ap_scan_adapter+0xc8/0x7c0
    kernel:  ap_scan_bus+0x5a/0x3b0
    kernel:  ap_scan_bus_wq_callback+0x40/0x60
    kernel:  process_one_work+0x26e/0x620
    kernel:  worker_thread+0x21c/0x440
    kernel:  kthread+0x150/0x168
    kernel:  __ret_from_fork+0x3c/0x58
    kernel:  ret_from_fork+0xa/0x30
    kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)
    kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88
    kernel: Redzone  00000000885a74b0: bb bb bb bb bb bb bb bb                          ........
    kernel: Object   00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
    kernel: Object   00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5  kkkkkkkkkkhKkkk.
    kernel: Redzone  00000000885a7518: bb bb bb bb bb bb bb bb                          ........
    kernel: Padding  00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
    kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2
    kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)
    kernel: Call Trace:
    kernel:  [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120
    kernel:  [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140
    kernel:  [<00000000c99d53cc>] check_object+0x334/0x3f8
    kernel:  [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8
    kernel:  [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0
    kernel:  [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8
    kernel:  [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8
    kernel:  [<00000000c99dc8dc>] __kmalloc+0x434/0x590
    kernel:  [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0
    kernel:  [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0
    kernel:  [<00000000c9b919dc>] ext4_htree_fill_tree+0x134/0x400
    kernel:  [<00000000c9b4b3d0>] ext4_dx_readdir+0x160/0x2f0
    kernel:  [<00000000c9b4bedc>] ext4_readdir+0x5f4/0x760
    kernel:  [<00000000c9a7efc4>] iterate_dir+0xb4/0x280
    kernel:  [<00000000c9a7f1ea>] __do_sys_getdents64+0x5a/0x120
    kernel:  [<00000000ca5d6946>] __do_syscall+0x256/0x310
    kernel:  [<00000000ca5eea10>] system_call+0x70/0x98
    kernel: INFO: lockdep is turned off.
    kernel: FIX kmalloc-96: Restoring Poison 0x00000000885a7512-0x00000000885a7513=0x6b
    kernel: FIX kmalloc-96: Marking all objects used

The fix is simple: Before use of the queue not only the queue object
but also the card object needs to increase it's reference count
with a call to zcrypt_card_get(). Similar after use of the queue
not only the queue but also the card object's reference count is
decreased with zcrypt_card_put().

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
 		2024-03-13 09:23:44 +01:00
..
accel accel/ivpu: Don't enable any tiles by default on VPU40xx 2024-02-20 16:56:21 +01:00
accessibility
acpi ACPI fix for 6.8-rc7 2024-02-28 12:20:00 -08:00
amba
android binder: signal epoll threads of self-work 2024-01-31 14:08:28 -08:00
ata ata: libata-core: Do not call ata_dev_power_set_standby() twice 2024-02-21 19:09:17 +01:00
atm atm: fore200e: Convert to platform remove callback returning void 2024-03-07 20:36:32 -08:00
auxdisplay
base * Mitigate RFDS vulnerability 2024-03-12 09:31:39 -07:00
bcma bcma: make bcma_bus_type const 2024-02-06 20:07:35 +02:00
block for-6.9/block-20240310 2024-03-11 11:43:44 -07:00
bluetooth Bluetooth: Add new quirk for broken read key length on ATS2851 2024-03-06 17:27:14 -05:00
bus ARM: SoC drivers for 6.9 2024-03-12 10:35:24 -07:00
cache cache: ax45mp_cache: Align end size to cache boundary in ax45mp_dma_cache_wback() 2024-02-21 16:24:10 +00:00
cdrom cdrom: gdrom: Convert to platform remove callback returning void 2024-03-07 11:53:30 -07:00
cdx
char
clk Initial support for the rk3568 Qnap TS433 NAS, the rk3588-based Tiger SoM 2024-03-04 08:32:45 +01:00
clocksource treewide: Remove system_counterval_t.cs, which is never read 2024-02-07 17:05:21 +01:00
comedi comedi: comedi_test: Prevent timers rescheduling during deletion 2024-03-05 14:21:45 +00:00
connector connector/cn_proc: revert "connector: Fix proc_event_num_listeners count not cleared" 2024-02-13 11:15:44 +01:00
counter counter: fix privdata alignment 2024-02-16 18:51:00 -05:00
cpufreq cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call back 2024-02-24 15:01:59 +01:00
cpuidle
crypto - Add the x86 part of the SEV-SNP host support. This will allow the 2024-03-11 17:44:11 -07:00
cxl cxl/acpi: Fix load failures due to single window creation failure 2024-02-20 22:58:05 -08:00
dax mm, slab: remove last vestiges of SLAB_MEM_SPREAD 2024-03-12 20:32:19 -07:00
dca
devfreq
dio
dma Updates for the MSI interrupt subsystem and RISC-V initial MSI support: 2024-03-11 14:03:03 -07:00
dma-buf dma-buf: heaps: Don't track CMA dma-buf pages under RssFile 2024-01-31 19:54:58 +05:30
dpll Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-03-11 20:38:36 -07:00
edac - Add a FRU (Field Replaceable Unit) memory poison manager which 2024-03-11 18:14:06 -07:00
eisa
extcon
firewire firewire: ohci: prevent leak of left-over IRQ on unbind 2024-03-06 22:35:22 +09:00
firmware pstore updates for v6.9-rc1 2024-03-12 14:36:18 -07:00
fpga
fsi
gnss
gpio gpio: fix resource unwinding order in error path 2024-03-01 09:33:30 +01:00
gpu A moderatly busy cycle for development this time around. 2024-03-12 15:18:34 -07:00
greybus
hid bpf-next-for-netdev 2024-03-02 20:50:59 -08:00
hsi
hte
hv Drivers: hv: vmbus: make hv_bus const 2024-03-03 02:32:35 +00:00
hwmon Rework of APIC enumeration and topology evaluation: 2024-03-11 15:45:55 -07:00
hwspinlock
hwtracing
i2c i2c: aspeed: Fix the dummy irq expected print 2024-03-08 10:10:27 +01:00
i3c
idle
iio iio: accel: adxl367: fix I2C FIFO data register 2024-02-25 14:31:14 +00:00
infiniband rtnetlink: prepare nla_put_iflink() to run under RCU 2024-02-26 11:46:12 +00:00
input Input updates for v6.8-rc7 2024-03-08 13:06:35 -08:00
interconnect interconnect: qcom: x1e80100: Add missing ACV enable_mask 2024-02-04 23:36:06 +02:00
iommu SoC: device tree updates for 6.9 2024-03-12 10:29:57 -07:00
ipack
irqchip Updates for the MSI interrupt subsystem and RISC-V initial MSI support: 2024-03-11 14:03:03 -07:00
isdn isdn: capi: make capi_class constant 2024-03-07 20:26:24 -08:00
leds
macintosh
mailbox irqchip: Convert all platform MSI users to the new API 2024-02-15 17:55:40 +01:00
mcb
md Revert "dm: use queue_limits_set" 2024-03-11 17:11:28 -07:00
media Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-02-22 15:29:26 -08:00
memory memory: stm32-fmc2-ebi: keep power domain on 2024-02-27 10:18:04 +01:00
memstick mspro_block: pass queue_limits to blk_mq_alloc_disk 2024-02-19 16:59:31 -07:00
message
mfd
misc slab changes for 6.9 2024-03-12 20:14:54 -07:00
mmc for-6.9/block-20240310 2024-03-11 11:43:44 -07:00
most
mtd for-6.9/block-20240310 2024-03-11 11:43:44 -07:00
mux
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-03-11 20:38:36 -07:00
nfc
ntb
nubus
nvdimm pmem: pass queue_limits to blk_mq_alloc_disk 2024-02-19 16:58:24 -07:00
nvme Networking changes for 6.9. 2024-03-12 17:44:08 -07:00
nvmem nvmem: include bit index in cell sysfs file name 2024-02-14 16:28:16 +01:00
of Devicetree fix for v6.8, part 2: 2024-03-01 17:18:35 -08:00
opp
parisc
parport
pci Networking changes for 6.9. 2024-03-12 17:44:08 -07:00
pcmcia
peci
perf Updates for the MSI interrupt subsystem and RISC-V initial MSI support: 2024-03-11 14:03:03 -07:00
phy phy: qcom-qmp-combo: fix type-c switch registration 2024-03-06 20:37:37 +05:30
pinctrl pinctrl: don't put the reference to GPIO device in pinctrl_pins_show() 2024-02-29 14:36:40 +01:00
platform Rework of APIC enumeration and topology evaluation: 2024-03-11 15:45:55 -07:00
pmdomain ARM: SoC drivers for 6.9 2024-03-12 10:35:24 -07:00
pnp
power power: supply: bq27xxx-i2c: Do not free non existing IRQ 2024-02-16 23:42:38 +01:00
powercap x86/cpu/topology: Rename topology_max_die_per_package() 2024-02-15 22:07:45 +01:00
pps
ps3
ptp Networking changes for 6.9. 2024-03-12 17:44:08 -07:00
pwm
rapidio
ras - Add a FRU (Field Replaceable Unit) memory poison manager which 2024-03-11 18:14:06 -07:00
regulator regulator: rk808: fix LDO range on RK806 2024-03-04 14:54:32 +00:00
remoteproc
reset
rpmsg
rtc rtc: test: Fix invalid format specifier. 2024-02-27 16:26:48 -07:00
s390 s390/zcrypt: fix reference counting on zcrypt card objects 2024-03-13 09:23:44 +01:00
sbus
scsi for-6.9/block-20240310 2024-03-11 11:43:44 -07:00
sh
siox
slimbus
soc ARM: SoC drivers for 6.9 2024-03-12 10:35:24 -07:00
soundwire
spi spi: cs42l43: Don't limit native CS to the first chip select 2024-03-06 17:44:28 +00:00
spmi
ssb ssb: make ssb_bustype const 2024-02-06 20:07:12 +02:00
staging Networking changes for 6.9. 2024-03-12 17:44:08 -07:00
target vfs-6.9.super 2024-03-11 10:52:34 -07:00
tc
tee ARM: SoC drivers for 6.9 2024-03-12 10:35:24 -07:00
thermal x86/cpu/topology: Rename topology_max_die_per_package() 2024-02-15 22:07:45 +01:00
thunderbolt thunderbolt: Fix for v6.8-rc7 2024-03-02 19:47:01 +01:00
tty Revert "tty: serial: simplify qcom_geni_serial_send_chunk_fifo()" 2024-03-05 13:40:34 +00:00
ufs Updates for the MSI interrupt subsystem and RISC-V initial MSI support: 2024-03-11 14:03:03 -07:00
uio
usb mm, slab: remove last vestiges of SLAB_MEM_SPREAD 2024-03-12 20:32:19 -07:00
vdpa
vfio
vhost vhost/net: remove vhost_net_page_frag_refill() 2024-03-05 11:38:14 +01:00
video hyperv-fixes for v6.8 2024-03-05 12:38:50 -08:00
virt
virtio
w1
watchdog watchdog: s3c2410_wdt: use exynos_get_pmu_regmap_by_phandle() for PMU regs 2024-02-25 11:39:25 +01:00
xen Support for x86 Fast Return and Event Delivery (FRED): 2024-03-11 16:00:17 -07:00
zorro zorro: Make zorro_bus_type const 2024-02-19 11:10:55 +01:00
Kconfig
Makefile