Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1184529ybf;
        Thu, 27 Feb 2020 06:28:55 -0800 (PST)
X-Google-Smtp-Source: APXvYqwe0Xgq/y4yjsGddKgJxj51kJHVB4WjjIcWmG8U9TazvqS+1iBZVuA7zcnQ/kcT8ejNLYng
X-Received: by 2002:a9d:21b4:: with SMTP id s49mr2549048otb.294.1582813735631;
        Thu, 27 Feb 2020 06:28:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582813735; cv=none;
        d=google.com; s=arc-20160816;
        b=hfhTmhjUc9Vkm82k2u+ycWQmuQlPIWUAv5BzWHeWGZ8K8NUQkLAqaIGY1B0ddaJJ9j
         5UA5zBw9pI5xIqnclc/qqlqtxd4AyA11bPBDglQ8/qA6ijje4R0FFq47//6uvGk+xdhl
         fVOcTBeqrLr17q0Ri9nxJWD4ZOmanPH1wk0ZmoJrLhp7oIvL8jyyn9VieXds9Opmndn9
         hD0xOacGYiABNk5cOPqOKw7Je+2coR12SEy34pR7my71JFQh1CaRkjOpwlhFnJA7xPze
         bjExREZ7K3swgzuLuLNLs1XJLRLGWVSR09HodcHmsiu1vsUZvHGRO78E+ee+hHO1dexN
         fTxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=L63pJRq3Y2mJiCgqrEhlg3lWD5ifW803MYx9+AkWPCk=;
        b=IHsTkxG0fooY2HX1du8BCOSOc0LfhrgJ/LgVfDXiqWJ3/+4cc+PGLxXC8LOA3kuk7C
         bZADL939QtltaxMwwYj2byLBWwED5bYLBLY+3kGoCfwHunwj5ebhJR/hzr5Kk/BS/k4N
         YeswKci8ONAQb2XU7EAl4hjBPROrlE0oS3mg/Kmqh8xUyfFIJOgW/k1kGhdHmZnxd3x5
         qXNG2mpshnfqHnLEliZ+l5CTfoOy8r5zq10A+L5tpuRIT9cmaFXyu/J01tpyQGEI2Rn2
         pKo54PSkOfAz6IJAkH/xOz89C6f65Zn0tMEHx4kQ9+NZtcmchic64Ahqx3aldS4QAH5g
         GpDQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ioNomucr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c5si1494698otp.108.2020.02.27.06.28.43;
        Thu, 27 Feb 2020 06:28:55 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ioNomucr;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387631AbgB0OJB (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Thu, 27 Feb 2020 09:09:01 -0500
Received: from mail.kernel.org ([198.145.29.99]:46760 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388306AbgB0OIy (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 Feb 2020 09:08:54 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 35F4624656;
        Thu, 27 Feb 2020 14:08:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1582812533;
        bh=EbQDuUGt0WEfjAtVVoBBJSO/K69KsAREfIwf2SmiYVY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ioNomucrVndTs29P44OC1kaRWxy/tDwdlGiqTgJjbGYd9Wi+VvaWX8nlh9S8L+qd8
         yThcCe6TSm5QDqWVVpxcf+kfOhUrGOR2oIN0BkN0Hm7Jy6MRQAUWH4bbFwO/ccr8E8
         zKZ0UNn4DSSKuZDsfuVnhbnvV3gA5zsLjqPcBQ5Y=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>,
        Borislav Petkov <bp@suse.de>
Subject: [PATCH 5.4 053/135] x86/mce/amd: Fix kobject lifetime
Date:   Thu, 27 Feb 2020 14:36:33 +0100
Message-Id: <20200227132237.110616024@linuxfoundation.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200227132228.710492098@linuxfoundation.org>
References: <20200227132228.710492098@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Thomas Gleixner <tglx@linutronix.de>

commit 51dede9c05df2b78acd6dcf6a17d21f0877d2d7b upstream.

Accessing the MCA thresholding controls in sysfs concurrently with CPU
hotplug can lead to a couple of KASAN-reported issues:

  BUG: KASAN: use-after-free in sysfs_file_ops+0x155/0x180
  Read of size 8 at addr ffff888367578940 by task grep/4019

and

  BUG: KASAN: use-after-free in show_error_count+0x15c/0x180
  Read of size 2 at addr ffff888368a05514 by task grep/4454

for example. Both result from the fact that the threshold block
creation/teardown code frees the descriptor memory itself instead of
defining proper ->release function and leaving it to the driver core to
take care of that, after all sysfs accesses have completed.

Do that and get rid of the custom freeing code, fixing the above UAFs in
the process.

  [ bp: write commit message. ]

Fixes: 95268664390b ("[PATCH] x86_64: mce_amd support for family 0x10 processors")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20200214082801.13836-1-bp@alien8.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kernel/cpu/mce/amd.c |   17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -1161,9 +1161,12 @@ static const struct sysfs_ops threshold_
 	.store			= store,
 };
 
+static void threshold_block_release(struct kobject *kobj);
+
 static struct kobj_type threshold_ktype = {
 	.sysfs_ops		= &threshold_ops,
 	.default_attrs		= default_attrs,
+	.release		= threshold_block_release,
 };
 
 static const char *get_name(unsigned int bank, struct threshold_block *b)
@@ -1365,8 +1368,12 @@ static int threshold_create_bank(unsigne
 	return err;
 }
 
-static void deallocate_threshold_block(unsigned int cpu,
-						 unsigned int bank)
+static void threshold_block_release(struct kobject *kobj)
+{
+	kfree(to_block(kobj));
+}
+
+static void deallocate_threshold_block(unsigned int cpu, unsigned int bank)
 {
 	struct threshold_block *pos = NULL;
 	struct threshold_block *tmp = NULL;
@@ -1376,13 +1383,11 @@ static void deallocate_threshold_block(u
 		return;
 
 	list_for_each_entry_safe(pos, tmp, &head->blocks->miscj, miscj) {
-		kobject_put(&pos->kobj);
 		list_del(&pos->miscj);
-		kfree(pos);
+		kobject_put(&pos->kobj);
 	}
 
-	kfree(per_cpu(threshold_banks, cpu)[bank]->blocks);
-	per_cpu(threshold_banks, cpu)[bank]->blocks = NULL;
+	kobject_put(&head->blocks->kobj);
 }
 
 static void __threshold_remove_blocks(struct threshold_bank *b)