korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-12 21:44:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
ae13381da5
linux/drivers/misc
History
Dae R. Jeong ae13381da5 vmci_host: fix a race condition in vmci_host_poll() causing GPF 
During fuzzing, a general protection fault is observed in
vmci_host_poll().

general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
RIP: 0010:__lock_acquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926
<- omitting registers ->
Call Trace:
 <TASK>
 lock_acquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xb3/0x100 kernel/locking/spinlock.c:162
 add_wait_queue+0x3d/0x260 kernel/sched/wait.c:22
 poll_wait include/linux/poll.h:49 [inline]
 vmci_host_poll+0xf8/0x2b0 drivers/misc/vmw_vmci/vmci_host.c:174
 vfs_poll include/linux/poll.h:88 [inline]
 do_pollfd fs/select.c:873 [inline]
 do_poll fs/select.c:921 [inline]
 do_sys_poll+0xc7c/0x1aa0 fs/select.c:1015
 __do_sys_ppoll fs/select.c:1121 [inline]
 __se_sys_ppoll+0x2cc/0x330 fs/select.c:1101
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4e/0xa0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Example thread interleaving that causes the general protection fault
is as follows:

CPU1 (vmci_host_poll)               CPU2 (vmci_host_do_init_context)
-----                               -----
// Read uninitialized context
context = vmci_host_dev->context;
                                    // Initialize context
                                    vmci_host_dev->context = vmci_ctx_create();
                                    vmci_host_dev->ct_type = VMCIOBJ_CONTEXT;

if (vmci_host_dev->ct_type == VMCIOBJ_CONTEXT) {
    // Dereferencing the wrong pointer
    poll_wait(..., &context->host_context);
}

In this scenario, vmci_host_poll() reads vmci_host_dev->context first,
and then reads vmci_host_dev->ct_type to check that
vmci_host_dev->context is initialized. However, since these two reads
are not atomically executed, there is a chance of a race condition as
described above.

To fix this race condition, read vmci_host_dev->context after checking
the value of vmci_host_dev->ct_type so that vmci_host_poll() always
reads an initialized context.

Reported-by: Dae R. Jeong <threeearcat@gmail.com>
Fixes: 8bf503991f ("VMCI: host side driver implementation.")
Signed-off-by: Dae R. Jeong <threeearcat@gmail.com>
Link: https://lore.kernel.org/r/ZCGFsdBAU4cYww5l@dragonet
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-04-05 19:37:35 +02:00
..
altera-stapl misc: move from strlcpy with unused retval to strscpy 2022-09-01 16:29:42 +02:00
bcm-vk misc: bcm_vk: Remove usage of deprecated functions 2022-09-01 16:29:32 +02:00
c2port
cardreader misc: alcor_pci: remove unused alcor functions 2023-03-29 12:20:32 +02:00
cb710
cxl mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
echo
eeprom eeprom: idt_89hpesx: Fix error handling in idt_init() 2023-01-20 12:05:26 +01:00
genwqe misc: genwqe: Drop redundant pci_enable_pcie_error_reporting() 2023-03-09 17:33:00 +01:00
ibmasm
lis3lv02d misc: lis3lv02d: Fix reading 'st,default-rate' property 2023-03-17 15:23:32 +01:00
lkdtm fortify: Use __builtin_dynamic_object_size() when available 2023-01-05 12:08:29 -08:00
mchp_pci1xxxx misc: microchip: pci1xxxx: Convert to immutable irqchip 2023-03-09 18:07:29 +01:00
mei mei: Move uuid.h to the MEI namespace 2023-03-23 17:25:46 +01:00
ocxl mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
pvpanic misc/pvpanic: Convert regular spinlock into trylock on panic path 2022-04-29 16:54:59 +02:00
sgi-gru Char/Misc and other driver subsystem changes for 6.3-rc1 2023-02-24 12:47:33 -08:00
sgi-xp sgi-xp: simplify sysctl registration 2023-03-09 17:32:13 +01:00
ti-st drivers: misc: ti-st: Fix a typo ("unknow") 2023-01-31 13:02:46 +01:00
uacce Char/Misc and other driver subsystem changes for 6.3-rc1 2023-02-24 12:47:33 -08:00
vmw_vmci vmci_host: fix a race condition in vmci_host_poll() causing GPF 2023-04-05 19:37:35 +02:00
ad525x_dpot-i2c.c misc: ad525x_dpot-i2c: Convert to i2c's .probe_new() 2023-03-09 21:58:45 +01:00
ad525x_dpot-spi.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
ad525x_dpot.c
ad525x_dpot.h
apds990x.c misc: apds990x: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
apds9802als.c misc: apds9802als: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
atmel-ssc.c misc: update maintainer email address and description for atmel-ssc 2022-08-03 11:03:03 +02:00
bh1770glc.c misc: bh1770glc: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
cs5535-mfgpt.c
ds1682.c misc: ds1682: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
dummy-irq.c
dw-xdata-pcie.c
enclosure.c misc: enclosure: Fix doc for enclosure_find() 2023-01-20 13:06:50 +01:00
fastrpc.c ARM: SoC drivers for 6.3 2023-02-27 10:04:49 -08:00
gehc-achc.c
hi6421v600-irq.c misc: hi6421-spmi-pmic: Use generic_handle_irq_safe(). 2022-03-02 22:28:50 +01:00
hisi_hikey_usb.c
hmc6352.c misc: hmc6352: Convert to i2c's .probe_new() 2022-11-23 19:56:38 +01:00
hpilo.c misc: hpilo: remove unused is_device_reset function 2023-03-29 12:19:43 +02:00
hpilo.h
ibmvmc.c ibmvmc: don't open-code file_inode() 2022-09-01 17:42:27 -04:00
ibmvmc.h
ics932s401.c misc: ics932s401: Convert to i2c's .probe_new() 2022-11-23 19:56:39 +01:00
isl29003.c misc: isl29003: Use sysfs_emit() to instead of sprintf() 2023-01-31 13:02:46 +01:00
isl29020.c misc: isl29020: Convert to i2c's .probe_new() 2022-11-23 19:56:07 +01:00
Kconfig Char/Misc and other driver subsystem changes for 6.3-rc1 2023-02-24 12:47:33 -08:00
kgdbts.c kgdbts: fix return value of __setup handler 2022-03-18 14:17:56 +01:00
lattice-ecp3-config.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
Makefile Char/Misc and other driver subsystem changes for 6.3-rc1 2023-02-24 12:47:33 -08:00
open-dice.c mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
pch_phub.c
pci_endpoint_test.c Merge branch 'pci/misc' 2023-02-22 13:47:32 -06:00
phantom.c
qcom-coincell.c
smpro-errmon.c misc: smpro-errmon: Add dimm training failure syndrome 2023-03-10 09:47:16 +01:00
smpro-misc.c misc: smpro-misc: Add Ampere's Altra SMpro misc driver 2022-11-10 19:03:03 +01:00
sram-exec.c mm: Introduce set_memory_rox() 2022-12-15 10:37:26 -08:00
sram.c misc/sram: Use of_property_read_bool() for boolean properties 2023-03-17 15:23:25 +01:00
sram.h misc: sram: Improve and simplify clk handling 2023-03-09 17:31:53 +01:00
tifm_7xx1.c misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() 2022-11-23 19:55:26 +01:00
tifm_core.c driver core: make struct bus_type.uevent() take a const * 2023-01-27 13:45:52 +01:00
tsl2550.c misc: tsl2550: Convert to i2c's .probe_new() 2022-11-23 19:56:05 +01:00
vcpu_stall_detector.c misc: Add a mechanism to detect stalls on guest vCPUs 2022-07-14 16:54:17 +02:00
vmw_balloon.c misc: vmw_balloon: fix memory leak with using debugfs_lookup() 2023-02-08 13:24:22 +01:00
xilinx_sdfec.c misc/xilinx_sdfec: Replace kmap() with kmap_local_page() 2022-09-09 10:22:36 +02:00
xilinx_tmr_inject.c drivers: misc: Add Support for TMR Inject IP 2023-01-20 13:10:15 +01:00
xilinx_tmr_manager.c drivers: misc: Add Support for TMR Manager 2023-01-20 13:09:30 +01:00