Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1156906ybf;
        Thu, 27 Feb 2020 06:04:57 -0800 (PST)
X-Google-Smtp-Source: APXvYqy4ltNNIaNuWgryDVYKaMLdnr+i1qtnkrV0e92rCZ5g78Zuk3PgdSrmtZl3HqkQjpMOP0jq
X-Received: by 2002:a05:6808:6cd:: with SMTP id m13mr3335865oih.53.1582812297396;
        Thu, 27 Feb 2020 06:04:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582812297; cv=none;
        d=google.com; s=arc-20160816;
        b=a+jyaQsvUkxcaBu4/oXglOR4SWQ54XKU2kbBKRIV50FsKkTjph9bQvbu7Ns77KZWcM
         VQGAJZnMYOHYqgo7u6tvpOvxdRsV5WOhe/jEQHpih4ih+CUVHBPhB2i81F927ky4Jmcd
         viJE9YHQ1yq2dA5jkqirXL4ZFx0ZOMOTQF4XnVY9T8+pAyAAY+ocsADSUoroY/gfbeLh
         Qw3jsZ7cwJjqmGPN5Zt51zozK5HcW51n3nYCsew+dz6fUlqHkeopjGwIRcwEnhL2UF/g
         OGonojoomH9jmxqnDALpEiMYmKsd5ouRWuPm9Y11JkUlJ52zgT0CfpZcxzXY4eWmW3iB
         jjvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=f5UiRxbOC5resbBasC3+BY+t3B5Awc3PrNxNtX/DF44=;
        b=mltGmPSHmc79IbEywCso4VmtkMMaHosRwiKfVtzlo6SqD0IU73fb5XxEwmj5oZ444H
         XUi3tmQLQkhicLA8eUzGNUjHqIJHfZ3kVXEwGw76MJVS7le3Esbb5QqmPCjpYB0t0swP
         Y+rqiS5beKUtR8GzkTiUnQnklHoHFfO/91h5fp0U1PTjzhFX9wnh7JAWrjAgIr4JWeNW
         Fx+JP5L5pjJuEnCrTOmSLq3zj+/OaZDaX/KmI6OceW/cFuIYOYPJGXs2UlAUEm6EvZu5
         rpZ751cveVZwRy0pocaMOxfjjFrOH/07s+5Zx6I5ZJW6WZr3ht1Ob5nC2ScgqtgYgFin
         it0g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=JUaJG7ej;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r12si1428748otq.156.2020.02.27.06.04.40;
        Thu, 27 Feb 2020 06:04:57 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=JUaJG7ej;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387534AbgB0OEJ (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Thu, 27 Feb 2020 09:04:09 -0500
Received: from mail.kernel.org ([198.145.29.99]:39756 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730232AbgB0OD5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Feb 2020 09:03:57 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B2F8B21D7E;
        Thu, 27 Feb 2020 14:03:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1582812237;
        bh=+TFOXBk75S8bLqdzidN0IZTgL72Fo3EFA7peJq32h5s=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=JUaJG7ejud+R5ir549L1Ep6jtBQvOIy5knAN+VSJBBDCXlJqsK/o7ElrahqV2SDAx
         6SxpwV1BAR8NRcUGw/lAAgZ0/ZrAZHRISD+mlSaoPveFylt4Oe9Wx832TOR/4evcsZ
         b3sRFkJGVlbEq5UR8jVsjii+JlCTe+y+W+1+YGvA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>,
        Borislav Petkov <bp@suse.de>
Subject: [PATCH 4.19 38/97] x86/mce/amd: Fix kobject lifetime
Date:   Thu, 27 Feb 2020 14:36:46 +0100
Message-Id: <20200227132220.767800679@linuxfoundation.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200227132214.553656188@linuxfoundation.org>
References: <20200227132214.553656188@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Thomas Gleixner <tglx@linutronix.de>

commit 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b upstream.

Accessing the MCA thresholding controls in sysfs concurrently with CPU
hotplug can lead to a couple of KASAN-reported issues:

  BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
  Read of size 8 at addr ffff888367578940 by task grep/4019

and

  BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
  Read of size 2 at addr ffff888368a05514 by task grep/4454

for example. Both result from the fact that the threshold block
creation/teardown code frees the descriptor memory itself instead of
defining proper ->release function and leaving it to the driver core to
take care of that, after all sysfs accesses have completed.

Do that and get rid of the custom freeing code, fixing the above UAFs in
the process.

  [ bp: write commit message. ]

Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/mcheck/mce_amd.c |   17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c
+++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c
@@ -1117,9 +1117,12 @@ static const struct sysfs_ops threshold_
 	.store			= store,
 };
 
+static void threshold_block_release(struct kobject *kobj);
+
 static struct kobj_type threshold_ktype = {
 	.sysfs_ops		= &threshold_ops,
 	.default_attrs		= default_attrs,
+	.release		= threshold_block_release,
 };
 
 static const char *get_name(unsigned int bank, struct threshold_block *b)
@@ -1321,8 +1324,12 @@ static int threshold_create_bank(unsigne
 	return err;
 }
 
-static void deallocate_threshold_block(unsigned int cpu,
-						 unsigned int bank)
+static void threshold_block_release(struct kobject *kobj)
+{
+	kfree(to_block(kobj));
+}
+
+static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
 {
 	struct threshold_block *pos = NULL;
 	struct threshold_block *tmp = NULL;
@@ -1332,13 +1339,11 @@ static void deallocate_threshold_block(u
 		return;
 
 	list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
-		kobject_put(&pos->kobj);
 		list_del(&pos->miscj);
-		kfree(pos);
+		kobject_put(&pos->kobj);
 	}
 
-	kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
-	per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
+	kobject_put(&head->blocks->kobj);
 }
 
 static void __threshold_remove_blocks(struct threshold_bank *b)