From: Greg Kroah-Hartman Date: Tue, 29 Mar 2022 11:23:51 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.14.275~69 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=567bdae6d0ae5c724e290bf27ab4e86c9b30e3fd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: locking-lockdep-avoid-potential-access-of-invalid-memory-in-lock_class.patch --- diff --git a/queue-5.10/locking-lockdep-avoid-potential-access-of-invalid-memory-in-lock_class.patch b/queue-5.10/locking-lockdep-avoid-potential-access-of-invalid-memory-in-lock_class.patch new file mode 100644 index 00000000000..85adb79c866 --- /dev/null +++ b/queue-5.10/locking-lockdep-avoid-potential-access-of-invalid-memory-in-lock_class.patch @@ -0,0 +1,87 @@ +From 61cc4534b6550997c97a03759ab46b29d44c0017 Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Sun, 2 Jan 2022 21:35:58 -0500 +Subject: locking/lockdep: Avoid potential access of invalid memory in lock_class + +From: Waiman Long + +commit 61cc4534b6550997c97a03759ab46b29d44c0017 upstream. + +It was found that reading /proc/lockdep after a lockdep splat may +potentially cause an access to freed memory if lockdep_unregister_key() +is called after the splat but before access to /proc/lockdep [1]. This +is due to the fact that graph_lock() call in lockdep_unregister_key() +fails after the clearing of debug_locks by the splat process. + +After lockdep_unregister_key() is called, the lock_name may be freed +but the corresponding lock_class structure still have a reference to +it. That invalid memory pointer will then be accessed when /proc/lockdep +is read by a user and a use-after-free (UAF) error will be reported if +KASAN is enabled. + +To fix this problem, lockdep_unregister_key() is now modified to always +search for a matching key irrespective of the debug_locks state and +zap the corresponding lock class if a matching one is found. + +[1] https://lore.kernel.org/lkml/77f05c15-81b6-bddd-9650-80d5f23fe330@i-love.sakura.ne.jp/ + +Fixes: 8b39adbee805 ("locking/lockdep: Make lockdep_unregister_key() honor 'debug_locks' again") +Reported-by: Tetsuo Handa +Signed-off-by: Waiman Long +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Bart Van Assche +Cc: Cheng-Jui Wang +Link: https://lkml.kernel.org/r/20220103023558.1377055-1-longman@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/lockdep.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -6209,7 +6209,13 @@ void lockdep_reset_lock(struct lockdep_m + lockdep_reset_lock_reg(lock); + } + +-/* Unregister a dynamically allocated key. */ ++/* ++ * Unregister a dynamically allocated key. ++ * ++ * Unlike lockdep_register_key(), a search is always done to find a matching ++ * key irrespective of debug_locks to avoid potential invalid access to freed ++ * memory in lock_class entry. ++ */ + void lockdep_unregister_key(struct lock_class_key *key) + { + struct hlist_head *hash_head = keyhashentry(key); +@@ -6224,10 +6230,8 @@ void lockdep_unregister_key(struct lock_ + return; + + raw_local_irq_save(flags); +- if (!graph_lock()) +- goto out_irq; ++ lockdep_lock(); + +- pf = get_pending_free(); + hlist_for_each_entry_rcu(k, hash_head, hash_entry) { + if (k == key) { + hlist_del_rcu(&k->hash_entry); +@@ -6235,11 +6239,13 @@ void lockdep_unregister_key(struct lock_ + break; + } + } +- WARN_ON_ONCE(!found); +- __lockdep_free_key_range(pf, key, 1); +- call_rcu_zapped(pf); +- graph_unlock(); +-out_irq: ++ WARN_ON_ONCE(!found && debug_locks); ++ if (found) { ++ pf = get_pending_free(); ++ __lockdep_free_key_range(pf, key, 1); ++ call_rcu_zapped(pf); ++ } ++ lockdep_unlock(); + raw_local_irq_restore(flags); + + /* Wait until is_dynamic_key() has finished accessing k->hash_entry. */ diff --git a/queue-5.10/series b/queue-5.10/series index 3bbae40a191..1ee7c16b212 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -19,3 +19,4 @@ spi-fix-erroneous-sgs-value-with-min_t.patch input-zinitix-do-not-report-shadow-fingers.patch af_key-add-__gfp_zero-flag-for-compose_sadb_supporte.patch net-dsa-microchip-add-spi_device_id-tables.patch +locking-lockdep-avoid-potential-access-of-invalid-memory-in-lock_class.patch