Harald Freudenberger
50ed48c80f
s390/zcrypt: fix reference counting on zcrypt card objects
Tests with hot-plugging crytpo cards on KVM guests with debug
kernel build revealed an use after free for the load field of
the struct zcrypt_card. The reason was an incorrect reference
handling of the zcrypt card object which could lead to a free
of the zcrypt card object while it was still in use.
This is an example of the slab message:
kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b
kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43
kernel: kmalloc_trace+0x3f2/0x470
kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]
kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]
kernel: ap_device_probe+0x15c/0x290
kernel: really_probe+0xd2/0x468
kernel: driver_probe_device+0x40/0xf0
kernel: __device_attach_driver+0xc0/0x140
kernel: bus_for_each_drv+0x8c/0xd0
kernel: __device_attach+0x114/0x198
kernel: bus_probe_device+0xb4/0xc8
kernel: device_add+0x4d2/0x6e0
kernel: ap_scan_adapter+0x3d0/0x7c0
kernel: ap_scan_bus+0x5a/0x3b0
kernel: ap_scan_bus_wq_callback+0x40/0x60
kernel: process_one_work+0x26e/0x620
kernel: worker_thread+0x21c/0x440
kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43
kernel: kfree+0x37e/0x418
kernel: zcrypt_card_put+0x54/0x80 [zcrypt]
kernel: ap_device_remove+0x4c/0xe0
kernel: device_release_driver_internal+0x1c4/0x270
kernel: bus_remove_device+0x100/0x188
kernel: device_del+0x164/0x3c0
kernel: device_unregister+0x30/0x90
kernel: ap_scan_adapter+0xc8/0x7c0
kernel: ap_scan_bus+0x5a/0x3b0
kernel: ap_scan_bus_wq_callback+0x40/0x60
kernel: process_one_work+0x26e/0x620
kernel: worker_thread+0x21c/0x440
kernel: kthread+0x150/0x168
kernel: __ret_from_fork+0x3c/0x58
kernel: ret_from_fork+0xa/0x30
kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)
kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88
kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........
kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.
kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........
kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2
kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)
kernel: Call Trace:
kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120
kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140
kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8
kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8
kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0
kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8
kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8
kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590
kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0
kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0
kernel: [<00000000c9b919dc>] ext4_htree_fill_tree+0x134/0x400
kernel: [<00000000c9b4b3d0>] ext4_dx_readdir+0x160/0x2f0
kernel: [<00000000c9b4bedc>] ext4_readdir+0x5f4/0x760
kernel: [<00000000c9a7efc4>] iterate_dir+0xb4/0x280
kernel: [<00000000c9a7f1ea>] __do_sys_getdents64+0x5a/0x120
kernel: [<00000000ca5d6946>] __do_syscall+0x256/0x310
kernel: [<00000000ca5eea10>] system_call+0x70/0x98
kernel: INFO: lockdep is turned off.
kernel: FIX kmalloc-96: Restoring Poison 0x00000000885a7512-0x00000000885a7513=0x6b
kernel: FIX kmalloc-96: Marking all objects used
The fix is simple: Before use of the queue not only the queue object
but also the card object needs to increase it's reference count
with a call to zcrypt_card_get(). Similar after use of the queue
not only the queue but also the card object's reference count is
decreased with zcrypt_card_put().
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
2024-03-13 09:23:44 +01:00
..
2024-02-20 16:56:21 +01:00
2024-02-28 12:20:00 -08:00
2024-01-31 14:08:28 -08:00
2024-02-21 19:09:17 +01:00
2024-03-07 20:36:32 -08:00
2024-01-12 11:32:19 -08:00
2024-03-12 09:31:39 -07:00
2024-02-06 20:07:35 +02:00
2024-03-11 11:43:44 -07:00
2024-03-06 17:27:14 -05:00
2024-03-12 10:35:24 -07:00
2024-02-21 16:24:10 +00:00
2024-03-07 11:53:30 -07:00
2024-01-04 17:01:14 +01:00
2024-01-18 11:37:24 -08:00
2024-03-04 08:32:45 +01:00
2024-02-07 17:05:21 +01:00
2024-03-05 14:21:45 +00:00
2024-02-13 11:15:44 +01:00
2024-02-16 18:51:00 -05:00
2024-02-24 15:01:59 +01:00
2023-12-29 18:08:18 +01:00
2024-03-11 17:44:11 -07:00
2024-02-20 22:58:05 -08:00
2024-03-12 20:32:19 -07:00
2024-03-11 14:03:03 -07:00
2024-01-31 19:54:58 +05:30
2024-03-11 20:38:36 -07:00
2024-03-11 18:14:06 -07:00
2024-03-06 22:35:22 +09:00
2024-03-12 14:36:18 -07:00
2024-01-17 16:47:17 -08:00
2024-01-18 11:37:24 -08:00
2024-03-01 09:33:30 +01:00
2024-03-12 15:18:34 -07:00
2024-01-18 11:37:24 -08:00
2024-03-02 20:50:59 -08:00
2024-03-03 02:32:35 +00:00
2024-03-11 15:45:55 -07:00
2024-03-08 10:10:27 +01:00
2024-01-08 00:51:36 +01:00
2024-01-09 16:32:11 -08:00
2024-02-25 14:31:14 +00:00
2024-02-26 11:46:12 +00:00
2024-03-08 13:06:35 -08:00
2024-02-04 23:36:06 +02:00
2024-03-12 10:29:57 -07:00
2024-01-18 11:37:24 -08:00
2024-03-11 14:03:03 -07:00
2024-03-07 20:26:24 -08:00
2024-01-17 15:25:27 -08:00
2024-02-15 17:55:40 +01:00
2024-03-11 17:11:28 -07:00
2024-02-22 15:29:26 -08:00
2024-02-27 10:18:04 +01:00
2024-02-19 16:59:31 -07:00
2024-01-18 11:37:24 -08:00
2024-03-12 20:14:54 -07:00
2024-03-11 11:43:44 -07:00
2024-03-11 11:43:44 -07:00
2024-01-04 17:01:14 +01:00
2024-03-11 20:38:36 -07:00
2024-01-03 13:33:59 +01:00
2024-02-19 16:58:24 -07:00
2024-03-12 17:44:08 -07:00
2024-02-14 16:28:16 +01:00
2024-03-01 17:18:35 -08:00
2024-01-05 15:55:41 +05:30
2024-01-07 22:59:16 +01:00
2024-03-12 17:44:08 -07:00
2024-03-11 14:03:03 -07:00
2024-03-06 20:37:37 +05:30
2024-02-29 14:36:40 +01:00
2024-03-11 15:45:55 -07:00
2024-03-12 10:35:24 -07:00
2024-01-17 14:37:40 -08:00
2024-02-16 23:42:38 +01:00
2024-02-15 22:07:45 +01:00
2024-03-12 17:44:08 -07:00
2024-01-12 18:25:05 +01:00
2024-03-11 18:14:06 -07:00
2024-03-04 14:54:32 +00:00
2024-01-11 11:31:46 -08:00
2024-02-27 16:26:48 -07:00
2024-03-13 09:23:44 +01:00
2024-03-11 11:43:44 -07:00
2024-01-04 14:37:17 +01:00
2024-03-12 10:35:24 -07:00
2024-01-18 17:08:31 -08:00
2024-03-06 17:44:28 +00:00
2024-02-06 20:07:12 +02:00
2024-03-12 17:44:08 -07:00
2024-03-11 10:52:34 -07:00
2024-03-12 10:35:24 -07:00
2024-02-15 22:07:45 +01:00
2024-03-02 19:47:01 +01:00
2024-03-05 13:40:34 +00:00
2024-03-11 14:03:03 -07:00
2024-01-04 17:03:47 +01:00
2024-03-12 20:32:19 -07:00
2024-01-18 16:44:03 -08:00
2024-01-18 15:57:25 -08:00
2024-03-05 11:38:14 +01:00
2024-03-05 12:38:50 -08:00
2024-01-17 16:47:17 -08:00
2024-01-18 16:44:03 -08:00
2024-02-25 11:39:25 +01:00
2024-03-11 16:00:17 -07:00
2024-02-19 11:10:55 +01:00
2024-01-12 12:38:37 +01:00