lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14efbe2499
android_kernel_xiaomi_sm8350/lib
History
Thomas Gleixner 22d7ec50ff debugobject: Prevent init race with static objects 
[ Upstream commit 63a759694eed61025713b3e14dd827c8548daadc ]

Statically initialized objects are usually not initialized via the init()
function of the subsystem. They are special cased and the subsystem
provides a function to validate whether an object which is not yet tracked
by debugobjects is statically initialized. This means the object is started
to be tracked on first use, e.g. activation.

This works perfectly fine, unless there are two concurrent operations on
that object. Schspa decoded the problem:

T0 	          	    	    T1

debug_object_assert_init(addr)
  lock_hash_bucket()
  obj = lookup_object(addr);
  if (!obj) {
  	unlock_hash_bucket();
	- > preemption
			            lock_subsytem_object(addr);
				      activate_object(addr)
				      lock_hash_bucket();
				      obj = lookup_object(addr);
				      if (!obj) {
				    	unlock_hash_bucket();
					if (is_static_object(addr))
					   init_and_track(addr);
				      lock_hash_bucket();
				      obj = lookup_object(addr);
				      obj->state = ACTIVATED;
				      unlock_hash_bucket();

				    subsys function modifies content of addr,
				    so static object detection does
				    not longer work.

				    unlock_subsytem_object(addr);

        if (is_static_object(addr)) <- Fails

	  debugobject emits a warning and invokes the fixup function which
	  reinitializes the already active object in the worst case.

This race exists forever, but was never observed until mod_timer() got a
debug_object_assert_init() added which is outside of the timer base lock
held section right at the beginning of the function to cover the lockless
early exit points too.

Rework the code so that the lookup, the static object check and the
tracking object association happens atomically under the hash bucket
lock. This prevents the issue completely as all callers are serialized on
the hash bucket lock and therefore cannot observe inconsistent state.

Fixes: 3ac7fe5a4a ("infrastructure to debug (dynamic) objects")
Reported-by: syzbot+5093ba19745994288b53@syzkaller.appspotmail.com
Debugged-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Link: https://syzkaller.appspot.com/bug?id=22c8a5938eab640d1c6bcc0e3dc7be519d878462
Link: https://lore.kernel.org/lkml/20230303161906.831686-1-schspa@gmail.com
Link: https://lore.kernel.org/r/87zg7dzgao.ffs@tglx
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-05-17 11:35:39 +02:00
..
842
crypto lib/crypto: blake2s: move hmac construction into wireguard 2022-06-22 14:11:02 +02:00
dim dim: initialize all struct fields 2022-05-18 09:47:25 +02:00
fonts lib/fonts: fix undefined behavior in bit shift for get_default_font 2023-01-18 11:40:54 +01:00
livepatch
lz4 lz4: fix LZ4_decompress_safe_partial read out of bound 2022-04-15 14:18:39 +02:00
lzo
math
mpi lib/mpi: Fix buffer overrun when SG is too long 2023-03-11 16:43:38 +01:00
raid6 lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 2022-04-15 14:18:23 +02:00
reed_solomon
vdso lib/vdso: use "grep -E" instead of "egrep" 2022-12-08 11:22:59 +01:00
xz lib/xz: Validate the value before assigning it to an enum variable 2021-11-17 09:48:31 +01:00
zlib_deflate
zlib_inflate
zstd
.gitignore
argv_split.c
ashldi3.c
ashrdi3.c
asn1_decoder.c
assoc_array.c assoc_array: Fix BUG_ON during garbage collect 2022-06-06 08:33:50 +02:00
atomic64_test.c
atomic64.c
audit.c
bcd.c
bch.c
bitmap.c
bitrev.c
bsearch.c
btree.c
bucket_locks.c
bug.c bug: Remove redundant condition check in report_bug 2021-05-14 09:44:27 +02:00
build_OID_registry
bust_spinlocks.c
chacha.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c
cmpdi2.c
compat_audit.c
cpu_rmap.c
cpumask.c
crc4.c
crc7.c
crc8.c
crc16.c
crc32.c
crc32defs.h
crc32test.c
crc64.c
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
ctype.c
debug_info.c
debug_locks.c
debugobjects.c debugobject: Prevent init race with static objects 2023-05-17 11:35:39 +02:00
dec_and_lock.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlz4.c lib/decompress_unlz4.c: correctly handle zero-padding around initrds. 2021-07-20 16:10:46 +02:00
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression 2021-11-17 09:48:31 +01:00
decompress.c
devres.c
digsig.c
dump_stack.c
dynamic_debug.c dyndbg: let query-modname override actual module name 2022-10-26 13:22:37 +02:00
dynamic_queue_limits.c
earlycpio.c
error-inject.c
errseq.c
extable.c
fault-inject.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
fdt.c
find_bit_benchmark.c
find_bit.c
flex_proportions.c
gen_crc32table.c
gen_crc64table.c
genalloc.c
generic-radix-tree.c
glob.c
globtest.c
hexdump.c hex2bin: fix access beyond string end 2022-05-09 09:03:22 +02:00
hweight.c
idr.c ida: don't use BUG_ON() for debugging 2022-07-12 16:30:49 +02:00
inflate.c
interval_tree_test.c
interval_tree.c
iomap_copy.c
iomap.c
iommu-helper.c
ioremap.c
iov_iter.c mm/highmem: Lift memcpy_[to|from]_page to core 2023-01-18 11:41:55 +01:00
irq_poll.c
irq_regs.c
is_single_threaded.c
kasprintf.c
Kconfig ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE 2022-03-19 13:40:16 +01:00
Kconfig.debug Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled 2022-12-08 11:23:05 +01:00
Kconfig.kasan
Kconfig.kgdb
Kconfig.ubsan
kfifo.c
klist.c
kobject_uevent.c kobject_uevent: remove warning in init_uevent_argv() 2021-05-19 10:08:33 +02:00
kobject.c
kstrtox.c lib: vsprintf: Fix handling of number field widths in vsscanf 2021-07-14 16:53:16 +02:00
kstrtox.h lib: vsprintf: Fix handling of number field widths in vsscanf 2021-07-14 16:53:16 +02:00
libcrc32c.c
list_debug.c lib/list_debug.c: Detect uninitialized lists 2022-08-25 11:18:36 +02:00
list_sort.c
llist.c
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-rtmutex.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c
lockref.c lockref: stop doing cpu_relax in the cmpxchg loop 2023-02-06 07:52:42 +01:00
logic_pio.c
lru_cache.c
lshrdi3.c
Makefile avoid __memcat_p link failure 2021-05-07 10:51:37 +02:00
memcat_p.c
memory-notifier-error-inject.c
memweight.c
muldi3.c
net_utils.c
netdev-notifier-error-inject.c
nlattr.c netlink: prevent potential spectre v1 gadgets 2023-02-06 07:52:45 +01:00
nmi_backtrace.c
nodemask.c nodemask: Fix return values to be unsigned 2022-06-14 18:12:02 +02:00
notifier-error-inject.c lib/notifier-error-inject: fix error when writing -errno to debugfs file 2023-01-18 11:40:55 +01:00
notifier-error-inject.h
objagg.c
of-reconfig-notifier-error-inject.c
oid_registry.c
once.c once: add DO_ONCE_SLOW() for sleepable contexts 2022-10-26 13:22:27 +02:00
packing.c
parman.c
parser.c
pci_iomap.c
percpu_counter.c
percpu_test.c
percpu-refcount.c
plist.c
pm-notifier-error-inject.c
radix-tree.c
random32.c random: replace custom notifier chain with standard one 2022-06-22 14:11:13 +02:00
ratelimit.c ratelimit: Fix data-races in ___ratelimit(). 2022-09-05 10:27:42 +02:00
rbtree_test.c
rbtree.c
refcount.c locking/refcount: Consolidate implementations of refcount_t 2022-07-29 17:14:17 +02:00
rhashtable.c
sbitmap.c
scatterlist.c
seq_buf.c seq_buf: Fix overflow in seq_buf_putmem_hex() 2021-07-19 08:53:16 +02:00
sg_pool.c
sg_split.c
sha1.c lib/crypto: sha1: re-roll loops to reduce code size 2022-06-22 14:11:03 +02:00
show_mem.c
siphash.c siphash: use one source of truth for siphash permutations 2022-06-22 14:11:16 +02:00
smp_processor_id.c
sort.c
stackdepot.c lib: stackdepot: turn depot_lock spinlock to raw_spinlock 2021-05-22 11:38:30 +02:00
stmp_device.c
string_helpers.c
string.c
strncpy_from_user.c
strnlen_user.c
syscall.c
test_bitfield.c
test_bitmap.c
test_blackhole_dev.c
test_bpf.c bpf/tests: Do not PASS tests without actually testing the result 2021-09-22 12:26:29 +02:00
test_debug_virtual.c
test_firmware.c test_firmware: fix memory leak in test_firmware_init() 2023-01-18 11:41:23 +01:00
test_hash.c
test_hexdump.c
test_ida.c
test_kasan.c
test_kmod.c lib/test: use after free in register_test_dev_kmod() 2022-04-15 14:18:21 +02:00
test_list_sort.c
test_memcat_p.c
test_meminit.c lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test 2022-01-27 09:19:55 +01:00
test_module.c
test_objagg.c
test_overflow.c
test_parman.c
test_printf.c
test_rhashtable.c
test_siphash.c
test_sort.c
test_stackinit.c lib/test_stackinit: Fix static initializer test 2021-09-22 12:26:38 +02:00
test_static_key_base.c
test_static_keys.c
test_string.c
test_strscpy.c
test_sysctl.c
test_ubsan.c
test_user_copy.c
test_uuid.c
test_vmalloc.c
test_xarray.c XArray: Fix xas_create_range() when multi-order entry present 2022-04-15 14:18:28 +02:00
test-kstrtox.c
test-string_helpers.c
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
ubsan.c
ubsan.h
ucmpdi2.c
ucs2_string.c
usercopy.c uaccess: Add speculation barrier to copy_from_user() 2023-02-25 11:53:26 +01:00
uuid.c
vsprintf.c random: replace custom notifier chain with standard one 2022-06-22 14:11:13 +02:00
win_minmax.c
xarray.c XArray: Update the LRU list in xas_split() 2022-04-15 14:18:28 +02:00
xxhash.c