alistair23-linux

redonkable

Fork of alistair23 Linux kernel for reMarkable from https://github.com/alistair23/linux

Go to file

Sahitya Tummala 510b4e0695 block: Fix use-after-free issue accessing struct io_cq [ Upstream commit `30a2da7b7e` ] There is a potential race between ioc_release_fn() and ioc_clear_queue() as shown below, due to which below kernel crash is observed. It also can result into use-after-free issue. context#1: context#2: ioc_release_fn() __ioc_clear_queue() gets the same icq ->spin_lock(&ioc->lock); ->spin_lock(&ioc->lock); ->ioc_destroy_icq(icq); ->list_del_init(&icq->q_node); ->call_rcu(&icq->__rcu_head, icq_free_icq_rcu); ->spin_unlock(&ioc->lock); ->ioc_destroy_icq(icq); ->hlist_del_init(&icq->ioc_node); This results into below crash as this memory is now used by icq->__rcu_head in context#1. There is a chance that icq could be free'd as well. 22150.386550: <6> Unable to handle kernel write to read-only memory at virtual address ffffffaa8d31ca50 ... Call trace: 22150.607350: <2> ioc_destroy_icq+0x44/0x110 22150.611202: <2> ioc_clear_queue+0xac/0x148 22150.615056: <2> blk_cleanup_queue+0x11c/0x1a0 22150.619174: <2> __scsi_remove_device+0xdc/0x128 22150.623465: <2> scsi_forget_host+0x2c/0x78 22150.627315: <2> scsi_remove_host+0x7c/0x2a0 22150.631257: <2> usb_stor_disconnect+0x74/0xc8 22150.635371: <2> usb_unbind_interface+0xc8/0x278 22150.639665: <2> device_release_driver_internal+0x198/0x250 22150.644897: <2> device_release_driver+0x24/0x30 22150.649176: <2> bus_remove_device+0xec/0x140 22150.653204: <2> device_del+0x270/0x460 22150.656712: <2> usb_disable_device+0x120/0x390 22150.660918: <2> usb_disconnect+0xf4/0x2e0 22150.664684: <2> hub_event+0xd70/0x17e8 22150.668197: <2> process_one_work+0x210/0x480 22150.672222: <2> worker_thread+0x32c/0x4c8 Fix this by adding a new ICQ_DESTROYED flag in ioc_destroy_icq() to indicate this icq is once marked as destroyed. Also, ensure __ioc_clear_queue() is accessing icq within rcu_read_lock/unlock so that icq doesn't get free'd up while it is still using it. Signed-off-by: Sahitya Tummala <stummala@codeaurora.org> Co-developed-by: Pradeep P V K <ppvk@codeaurora.org> Signed-off-by: Pradeep P V K <ppvk@codeaurora.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>		2020-04-17 10:50:04 +02:00
Documentation	dt-bindings: net: FMan erratum A050385	2020-04-01 11:01:52 +02:00
LICENSES	LICENSES: Rename other to deprecated	2019-05-03 06:34:32 -06:00
arch	x86/boot: Use unsigned comparison for addresses	2020-04-17 10:50:03 +02:00
block	block: Fix use-after-free issue accessing struct io_cq	2020-04-17 10:50:04 +02:00
certs	PKCS#7: Refactor verify_pkcs7_signature()	2019-08-05 18:40:18 -04:00
crypto	crypto: rename sm3-256 to sm3 in hash_algo_name	2020-02-28 17:22:26 +01:00
drivers	efi/x86: Ignore the memory attributes table on i386	2020-04-17 10:50:03 +02:00
fs	gfs2: Don't demote a glock until its revokes are written	2020-04-17 10:50:03 +02:00
include	block: Fix use-after-free issue accessing struct io_cq	2020-04-17 10:50:04 +02:00
init	kbuild: remove header compile test	2020-03-05 16:43:47 +01:00
ipc	Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"	2020-02-28 17:22:20 +01:00
kernel	genirq/irqdomain: Check pointer in irq_domain_alloc_irqs_hierarchy()	2020-04-17 10:50:04 +02:00
lib	uapi: rename ext2_swab() to swab() and share globally in swab.h	2020-04-13 10:48:07 +02:00
mm	slub: improve bit diffusion for freelist ptr obfuscation	2020-04-13 10:48:07 +02:00
net	cfg80211: Do not warn on same channel at the end of CSA	2020-04-17 10:49:59 +02:00
samples	samples/bpf: Set -fno-stack-protector when building BPF programs	2020-02-24 08:36:36 +01:00
scripts	kconfig: introduce m32-flag and m64-flag	2020-04-08 09:08:37 +02:00
security	efi: Only print errors about failing to get certs if EFI vars are found	2020-03-12 13:00:14 +01:00
sound	ASoC: jz4740-i2s: Fix divider written at incorrect offset in register	2020-04-13 10:48:09 +02:00
tools	selftests/x86/ptrace_syscall_32: Fix no-vDSO segfault	2020-04-17 10:50:02 +02:00
usr	initramfs: restore default compression behavior	2020-04-08 09:08:38 +02:00
virt	KVM: Check for a bad hva before dropping into the ghc slow path	2020-03-05 16:43:48 +01:00
.clang-format	clang-format: Update with the latest for_each macro list	2019-08-31 10:00:51 +02:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.get_maintainer.ignore	Opt out of scripts/get_maintainer.pl	2019-05-16 10:53:40 -07:00
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	Modules updates for v5.4	2019-09-22 10:34:46 -07:00
.mailmap	ARM: SoC fixes	2019-11-10 13:41:59 -08:00
COPYING	COPYING: use the new text with points to the license files	2018-03-23 12:41:45 -06:00
CREDITS	MAINTAINERS: Remove Simon as Renesas SoC Co-Maintainer	2019-10-10 08:12:51 -07:00
Kbuild	kbuild: do not descend to ./Kbuild when cleaning	2019-08-21 21:03:58 +09:00
Kconfig	docs: kbuild: convert docs to ReST and rename to *.rst	2019-06-14 14:21:21 -06:00
MAINTAINERS	MAINTAINERS: Update drm/i915 bug filing URL	2020-02-28 17:22:19 +01:00
Makefile	Linux 5.4.32	2020-04-13 10:48:18 +02:00
README	Drop all 00-INDEX files from Documentation/	2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.