From: Greg Kroah-Hartman Date: Thu, 13 Feb 2020 04:41:13 +0000 (-0800) Subject: drop x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception... X-Git-Tag: v4.4.214~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d7960e5afb08c2389699584466f035a653b40a7;p=thirdparty%2Fkernel%2Fstable-queue.git drop x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index 975fc9768e7..63628b0599f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -83,7 +83,6 @@ drivers-watchdog-stm32_iwdg-set-wdog_hw_running-at-probe.patch media-i2c-adv748x-fix-unsafe-macros.patch dt-bindings-iio-adc-ad7606-fix-wrong-maxitems-value.patch bcache-avoid-unnecessary-btree-nodes-flushing-in-btree_flush_write.patch -x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch selinux-revert-stop-passing-may_not_block-to-the-avc-upon-follow_link.patch selinux-fix-regression-introduced-by-move_mount-2-syscall.patch pinctrl-sh-pfc-r8a77965-fix-du_dotclkin3-drive-bias-control.patch diff --git a/queue-5.4/x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch b/queue-5.4/x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch deleted file mode 100644 index 5366bf23b4f..00000000000 --- a/queue-5.4/x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 285a54efe3861976af9d15e85ff8c91a78d1407b Mon Sep 17 00:00:00 2001 -From: Masami Hiramatsu -Date: Wed, 27 Nov 2019 14:56:52 +0900 -Subject: x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception - -From: Masami Hiramatsu - -commit 285a54efe3861976af9d15e85ff8c91a78d1407b upstream. - -ftracetest multiple_kprobes.tc testcase hits the following NULL pointer -exception: - - BUG: kernel NULL pointer dereference, address: 0000000000000000 - PGD 800000007bf60067 P4D 800000007bf60067 PUD 7bf5f067 PMD 0 - Oops: 0000 [#1] PREEMPT SMP PTI - RIP: 0010:poke_int3_handler+0x39/0x100 - Call Trace: - - do_int3+0xd/0xf0 - int3+0x42/0x50 - RIP: 0010:sched_clock+0x6/0x10 - -poke_int3_handler+0x39 was alternatives:958: - - static inline void *text_poke_addr(struct text_poke_loc *tp) - { - return _stext + tp->rel_addr; <------ Here is line #958 - } - -This seems to be caused by tp (bp_patching.vec) being NULL but -bp_patching.nr_entries != 0. There is a small chance for this -to happen, because we have no synchronization between the zeroing -of bp_patching.nr_entries and before clearing bp_patching.vec. - -Steve suggested we could fix this by adding sync_core(), because int3 -is done with interrupts disabled, and the on_each_cpu() requires -all CPUs to have had their interrupts enabled. - - [ mingo: Edited the comments and the changelog. ] - -Suggested-by: Steven Rostedt (VMware) -Tested-by: Alexei Starovoitov -Signed-off-by: Masami Hiramatsu -Cc: Andy Lutomirski -Cc: Borislav Petkov -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: bristot@redhat.com -Fixes: c0213b0ac03c ("x86/alternative: Batch of patch operations") -Link: https://lkml.kernel.org/r/157483421229.25881.15314414408559963162.stgit@devnote2 -Signed-off-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/kernel/alternative.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/arch/x86/kernel/alternative.c -+++ b/arch/x86/kernel/alternative.c -@@ -1083,8 +1083,14 @@ void text_poke_bp_batch(struct text_poke - * sync_core() implies an smp_mb() and orders this store against - * the writing of the new instruction. - */ -- bp_patching.vec = NULL; - bp_patching.nr_entries = 0; -+ /* -+ * This sync_core () call ensures that all INT3 handlers in progress -+ * have finished. This allows poke_int3_handler() after this to -+ * avoid touching bp_paching.vec by checking nr_entries == 0. -+ */ -+ text_poke_sync(); -+ bp_patching.vec = NULL; - } - - /** diff --git a/queue-5.5/series b/queue-5.5/series index 8c2c21d8562..2c63aefe7a8 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -104,7 +104,6 @@ dt-bindings-iio-adc-ad7606-fix-wrong-maxitems-value.patch asoc-soc-generic-dmaengine-pcm-fix-error-handling.patch bcache-avoid-unnecessary-btree-nodes-flushing-in-btree_flush_write.patch x86-alternatives-add-missing-insn.h-include.patch -x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch selinux-revert-stop-passing-may_not_block-to-the-avc-upon-follow_link.patch selinux-fix-regression-introduced-by-move_mount-2-syscall.patch pinctrl-baytrail-allocate-irq-chip-dynamic.patch diff --git a/queue-5.5/x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch b/queue-5.5/x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch deleted file mode 100644 index 832ab674b8b..00000000000 --- a/queue-5.5/x86-alternatives-sync-bp_patching-update-for-avoiding-null-pointer-exception.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 285a54efe3861976af9d15e85ff8c91a78d1407b Mon Sep 17 00:00:00 2001 -From: Masami Hiramatsu -Date: Wed, 27 Nov 2019 14:56:52 +0900 -Subject: x86/alternatives: Sync bp_patching update for avoiding NULL pointer exception - -From: Masami Hiramatsu - -commit 285a54efe3861976af9d15e85ff8c91a78d1407b upstream. - -ftracetest multiple_kprobes.tc testcase hits the following NULL pointer -exception: - - BUG: kernel NULL pointer dereference, address: 0000000000000000 - PGD 800000007bf60067 P4D 800000007bf60067 PUD 7bf5f067 PMD 0 - Oops: 0000 [#1] PREEMPT SMP PTI - RIP: 0010:poke_int3_handler+0x39/0x100 - Call Trace: - - do_int3+0xd/0xf0 - int3+0x42/0x50 - RIP: 0010:sched_clock+0x6/0x10 - -poke_int3_handler+0x39 was alternatives:958: - - static inline void *text_poke_addr(struct text_poke_loc *tp) - { - return _stext + tp->rel_addr; <------ Here is line #958 - } - -This seems to be caused by tp (bp_patching.vec) being NULL but -bp_patching.nr_entries != 0. There is a small chance for this -to happen, because we have no synchronization between the zeroing -of bp_patching.nr_entries and before clearing bp_patching.vec. - -Steve suggested we could fix this by adding sync_core(), because int3 -is done with interrupts disabled, and the on_each_cpu() requires -all CPUs to have had their interrupts enabled. - - [ mingo: Edited the comments and the changelog. ] - -Suggested-by: Steven Rostedt (VMware) -Tested-by: Alexei Starovoitov -Signed-off-by: Masami Hiramatsu -Cc: Andy Lutomirski -Cc: Borislav Petkov -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Thomas Gleixner -Cc: bristot@redhat.com -Fixes: c0213b0ac03c ("x86/alternative: Batch of patch operations") -Link: https://lkml.kernel.org/r/157483421229.25881.15314414408559963162.stgit@devnote2 -Signed-off-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman - ---- - arch/x86/kernel/alternative.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - ---- a/arch/x86/kernel/alternative.c -+++ b/arch/x86/kernel/alternative.c -@@ -1110,8 +1110,14 @@ void text_poke_bp_batch(struct text_poke - * sync_core() implies an smp_mb() and orders this store against - * the writing of the new instruction. - */ -- bp_patching.vec = NULL; - bp_patching.nr_entries = 0; -+ /* -+ * This sync_core () call ensures that all INT3 handlers in progress -+ * have finished. This allows poke_int3_handler() after this to -+ * avoid touching bp_paching.vec by checking nr_entries == 0. -+ */ -+ text_poke_sync(); -+ bp_patching.vec = NULL; - } - - void text_poke_loc_init(struct text_poke_loc *tp, void *addr,