mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-01 11:24:25 +08:00
c777b11d34
Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in
kobject_add_internal() in kobject_init_and_add() in mdev_type_add()
in parent_create_sysfs_files(), it will return 0 and probe successfully.
And when rmmod mdpy.ko, the mdpy_dev_exit() will call
mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized
parent->types[i] in parent_remove_sysfs_files(), and it will cause
below null-ptr-deref.
If mdev_type_add() fails, return the error code and kset_unregister()
to fix the issue.
general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:__kobject_del+0x62/0x1c0
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
? die_addr+0x3d/0xa0
? exc_general_protection+0x144/0x220
? asm_exc_general_protection+0x22/0x30
? __kobject_del+0x62/0x1c0
kobject_del+0x32/0x50
parent_remove_sysfs_files+0xd6/0x170 [mdev]
mdev_unregister_parent+0xfb/0x190 [mdev]
? mdev_register_parent+0x270/0x270 [mdev]
? find_module_all+0x9d/0xe0
mdpy_dev_exit+0x17/0x63 [mdpy]
__do_sys_delete_module.constprop.0+0x2fa/0x4b0
? module_flags+0x300/0x300
? __fput+0x4e7/0xa00
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fbc813221b7
Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7
RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58
RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000
R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870
R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0
</TASK>
Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:__kobject_del+0x62/0x1c0
Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
PKRU: 55555554
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 1 seconds..
Fixes: da44c340c4
("vfio/mdev: simplify mdev_type handling")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Link: https://lore.kernel.org/r/20230918115551.1423193-1-ruanjinjie@huawei.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
303 lines
7.0 KiB
C
303 lines
7.0 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* File attributes for Mediated devices
|
|
*
|
|
* Copyright (c) 2016, NVIDIA CORPORATION. All rights reserved.
|
|
* Author: Neo Jia <cjia@nvidia.com>
|
|
* Kirti Wankhede <kwankhede@nvidia.com>
|
|
*/
|
|
|
|
#include <linux/sysfs.h>
|
|
#include <linux/ctype.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/mdev.h>
|
|
|
|
#include "mdev_private.h"
|
|
|
|
struct mdev_type_attribute {
|
|
struct attribute attr;
|
|
ssize_t (*show)(struct mdev_type *mtype,
|
|
struct mdev_type_attribute *attr, char *buf);
|
|
ssize_t (*store)(struct mdev_type *mtype,
|
|
struct mdev_type_attribute *attr, const char *buf,
|
|
size_t count);
|
|
};
|
|
|
|
#define MDEV_TYPE_ATTR_RO(_name) \
|
|
struct mdev_type_attribute mdev_type_attr_##_name = __ATTR_RO(_name)
|
|
#define MDEV_TYPE_ATTR_WO(_name) \
|
|
struct mdev_type_attribute mdev_type_attr_##_name = __ATTR_WO(_name)
|
|
|
|
static ssize_t mdev_type_attr_show(struct kobject *kobj,
|
|
struct attribute *__attr, char *buf)
|
|
{
|
|
struct mdev_type_attribute *attr = to_mdev_type_attr(__attr);
|
|
struct mdev_type *type = to_mdev_type(kobj);
|
|
ssize_t ret = -EIO;
|
|
|
|
if (attr->show)
|
|
ret = attr->show(type, attr, buf);
|
|
return ret;
|
|
}
|
|
|
|
static ssize_t mdev_type_attr_store(struct kobject *kobj,
|
|
struct attribute *__attr,
|
|
const char *buf, size_t count)
|
|
{
|
|
struct mdev_type_attribute *attr = to_mdev_type_attr(__attr);
|
|
struct mdev_type *type = to_mdev_type(kobj);
|
|
ssize_t ret = -EIO;
|
|
|
|
if (attr->store)
|
|
ret = attr->store(type, attr, buf, count);
|
|
return ret;
|
|
}
|
|
|
|
static const struct sysfs_ops mdev_type_sysfs_ops = {
|
|
.show = mdev_type_attr_show,
|
|
.store = mdev_type_attr_store,
|
|
};
|
|
|
|
static ssize_t create_store(struct mdev_type *mtype,
|
|
struct mdev_type_attribute *attr, const char *buf,
|
|
size_t count)
|
|
{
|
|
char *str;
|
|
guid_t uuid;
|
|
int ret;
|
|
|
|
if ((count < UUID_STRING_LEN) || (count > UUID_STRING_LEN + 1))
|
|
return -EINVAL;
|
|
|
|
str = kstrndup(buf, count, GFP_KERNEL);
|
|
if (!str)
|
|
return -ENOMEM;
|
|
|
|
ret = guid_parse(str, &uuid);
|
|
kfree(str);
|
|
if (ret)
|
|
return ret;
|
|
|
|
ret = mdev_device_create(mtype, &uuid);
|
|
if (ret)
|
|
return ret;
|
|
|
|
return count;
|
|
}
|
|
static MDEV_TYPE_ATTR_WO(create);
|
|
|
|
static ssize_t device_api_show(struct mdev_type *mtype,
|
|
struct mdev_type_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%s\n", mtype->parent->mdev_driver->device_api);
|
|
}
|
|
static MDEV_TYPE_ATTR_RO(device_api);
|
|
|
|
static ssize_t name_show(struct mdev_type *mtype,
|
|
struct mdev_type_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%s\n",
|
|
mtype->pretty_name ? mtype->pretty_name : mtype->sysfs_name);
|
|
}
|
|
|
|
static MDEV_TYPE_ATTR_RO(name);
|
|
|
|
static ssize_t available_instances_show(struct mdev_type *mtype,
|
|
struct mdev_type_attribute *attr,
|
|
char *buf)
|
|
{
|
|
struct mdev_driver *drv = mtype->parent->mdev_driver;
|
|
|
|
if (drv->get_available)
|
|
return sysfs_emit(buf, "%u\n", drv->get_available(mtype));
|
|
return sysfs_emit(buf, "%u\n",
|
|
atomic_read(&mtype->parent->available_instances));
|
|
}
|
|
static MDEV_TYPE_ATTR_RO(available_instances);
|
|
|
|
static ssize_t description_show(struct mdev_type *mtype,
|
|
struct mdev_type_attribute *attr,
|
|
char *buf)
|
|
{
|
|
return mtype->parent->mdev_driver->show_description(mtype, buf);
|
|
}
|
|
static MDEV_TYPE_ATTR_RO(description);
|
|
|
|
static struct attribute *mdev_types_core_attrs[] = {
|
|
&mdev_type_attr_create.attr,
|
|
&mdev_type_attr_device_api.attr,
|
|
&mdev_type_attr_name.attr,
|
|
&mdev_type_attr_available_instances.attr,
|
|
&mdev_type_attr_description.attr,
|
|
NULL,
|
|
};
|
|
|
|
static umode_t mdev_types_core_is_visible(struct kobject *kobj,
|
|
struct attribute *attr, int n)
|
|
{
|
|
if (attr == &mdev_type_attr_description.attr &&
|
|
!to_mdev_type(kobj)->parent->mdev_driver->show_description)
|
|
return 0;
|
|
return attr->mode;
|
|
}
|
|
|
|
static struct attribute_group mdev_type_core_group = {
|
|
.attrs = mdev_types_core_attrs,
|
|
.is_visible = mdev_types_core_is_visible,
|
|
};
|
|
|
|
static const struct attribute_group *mdev_type_groups[] = {
|
|
&mdev_type_core_group,
|
|
NULL,
|
|
};
|
|
|
|
static void mdev_type_release(struct kobject *kobj)
|
|
{
|
|
struct mdev_type *type = to_mdev_type(kobj);
|
|
|
|
pr_debug("Releasing group %s\n", kobj->name);
|
|
/* Pairs with the get in add_mdev_supported_type() */
|
|
put_device(type->parent->dev);
|
|
}
|
|
|
|
static struct kobj_type mdev_type_ktype = {
|
|
.sysfs_ops = &mdev_type_sysfs_ops,
|
|
.release = mdev_type_release,
|
|
.default_groups = mdev_type_groups,
|
|
};
|
|
|
|
static int mdev_type_add(struct mdev_parent *parent, struct mdev_type *type)
|
|
{
|
|
int ret;
|
|
|
|
type->kobj.kset = parent->mdev_types_kset;
|
|
type->parent = parent;
|
|
/* Pairs with the put in mdev_type_release() */
|
|
get_device(parent->dev);
|
|
|
|
ret = kobject_init_and_add(&type->kobj, &mdev_type_ktype, NULL,
|
|
"%s-%s", dev_driver_string(parent->dev),
|
|
type->sysfs_name);
|
|
if (ret) {
|
|
kobject_put(&type->kobj);
|
|
return ret;
|
|
}
|
|
|
|
type->devices_kobj = kobject_create_and_add("devices", &type->kobj);
|
|
if (!type->devices_kobj) {
|
|
ret = -ENOMEM;
|
|
goto attr_devices_failed;
|
|
}
|
|
|
|
return 0;
|
|
|
|
attr_devices_failed:
|
|
kobject_del(&type->kobj);
|
|
kobject_put(&type->kobj);
|
|
return ret;
|
|
}
|
|
|
|
static void mdev_type_remove(struct mdev_type *type)
|
|
{
|
|
kobject_put(type->devices_kobj);
|
|
kobject_del(&type->kobj);
|
|
kobject_put(&type->kobj);
|
|
}
|
|
|
|
/* mdev sysfs functions */
|
|
void parent_remove_sysfs_files(struct mdev_parent *parent)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < parent->nr_types; i++)
|
|
mdev_type_remove(parent->types[i]);
|
|
kset_unregister(parent->mdev_types_kset);
|
|
}
|
|
|
|
int parent_create_sysfs_files(struct mdev_parent *parent)
|
|
{
|
|
int ret, i;
|
|
|
|
parent->mdev_types_kset = kset_create_and_add("mdev_supported_types",
|
|
NULL, &parent->dev->kobj);
|
|
if (!parent->mdev_types_kset)
|
|
return -ENOMEM;
|
|
|
|
for (i = 0; i < parent->nr_types; i++) {
|
|
ret = mdev_type_add(parent, parent->types[i]);
|
|
if (ret)
|
|
goto out_err;
|
|
}
|
|
return 0;
|
|
|
|
out_err:
|
|
while (--i >= 0)
|
|
mdev_type_remove(parent->types[i]);
|
|
kset_unregister(parent->mdev_types_kset);
|
|
return ret;
|
|
}
|
|
|
|
static ssize_t remove_store(struct device *dev, struct device_attribute *attr,
|
|
const char *buf, size_t count)
|
|
{
|
|
struct mdev_device *mdev = to_mdev_device(dev);
|
|
unsigned long val;
|
|
|
|
if (kstrtoul(buf, 0, &val) < 0)
|
|
return -EINVAL;
|
|
|
|
if (val && device_remove_file_self(dev, attr)) {
|
|
int ret;
|
|
|
|
ret = mdev_device_remove(mdev);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
|
|
return count;
|
|
}
|
|
|
|
static DEVICE_ATTR_WO(remove);
|
|
|
|
static struct attribute *mdev_device_attrs[] = {
|
|
&dev_attr_remove.attr,
|
|
NULL,
|
|
};
|
|
|
|
static const struct attribute_group mdev_device_group = {
|
|
.attrs = mdev_device_attrs,
|
|
};
|
|
|
|
const struct attribute_group *mdev_device_groups[] = {
|
|
&mdev_device_group,
|
|
NULL
|
|
};
|
|
|
|
int mdev_create_sysfs_files(struct mdev_device *mdev)
|
|
{
|
|
struct mdev_type *type = mdev->type;
|
|
struct kobject *kobj = &mdev->dev.kobj;
|
|
int ret;
|
|
|
|
ret = sysfs_create_link(type->devices_kobj, kobj, dev_name(&mdev->dev));
|
|
if (ret)
|
|
return ret;
|
|
|
|
ret = sysfs_create_link(kobj, &type->kobj, "mdev_type");
|
|
if (ret)
|
|
goto type_link_failed;
|
|
return ret;
|
|
|
|
type_link_failed:
|
|
sysfs_remove_link(mdev->type->devices_kobj, dev_name(&mdev->dev));
|
|
return ret;
|
|
}
|
|
|
|
void mdev_remove_sysfs_files(struct mdev_device *mdev)
|
|
{
|
|
struct kobject *kobj = &mdev->dev.kobj;
|
|
|
|
sysfs_remove_link(kobj, "mdev_type");
|
|
sysfs_remove_link(mdev->type->devices_kobj, dev_name(&mdev->dev));
|
|
}
|