7c51f7bbf0
syzbot is reporting uninit-value at profile_hits(), for there is a race window between if (!alloc_cpumask_var(&prof_cpu_mask, GFP_KERNEL)) return -ENOMEM; cpumask_copy(prof_cpu_mask, cpu_possible_mask); in profile_init() and cpumask_available(prof_cpu_mask) && cpumask_test_cpu(smp_processor_id(), prof_cpu_mask)) in profile_tick(); prof_cpu_mask remains uninitialzed until cpumask_copy() completes while cpumask_available(prof_cpu_mask) returns true as soon as alloc_cpumask_var(&prof_cpu_mask) completes. We could replace alloc_cpumask_var() with zalloc_cpumask_var() and call cpumask_copy() from create_proc_profile() on only UP kernels, for profile_online_cpu() calls cpumask_set_cpu() as needed via cpuhp_setup_state(CPUHP_AP_ONLINE_DYN) on SMP kernels. But this patch removes prof_cpu_mask because it seems unnecessary. The cpumask_test_cpu(smp_processor_id(), prof_cpu_mask) test in profile_tick() is likely always true due to a CPU cannot call profile_tick() if that CPU is offline and cpumask_set_cpu(cpu, prof_cpu_mask) is called when that CPU becomes online and cpumask_clear_cpu(cpu, prof_cpu_mask) is called when that CPU becomes offline . This test could be false during transition between online and offline. But according to include/linux/cpuhotplug.h , CPUHP_PROFILE_PREPARE belongs to PREPARE section, which means that the CPU subjected to profile_dead_cpu() cannot be inside profile_tick() (i.e. no risk of use-after-free bug) because interrupt for that CPU is disabled during PREPARE section. Therefore, this test is guaranteed to be true, and can be removed. (Since profile_hits() checks prof_buffer != NULL, we don't need to check prof_buffer != NULL here unless get_irq_regs() or user_mode() is such slow that we want to avoid when prof_buffer == NULL). do_profile_hits() is called from profile_tick() from timer interrupt only if cpumask_test_cpu(smp_processor_id(), prof_cpu_mask) is true and prof_buffer is not NULL. But syzbot is also reporting that sometimes do_profile_hits() is called while current thread is still doing vzalloc(), where prof_buffer must be NULL at this moment. This indicates that multiple threads concurrently tried to write to /sys/kernel/profiling interface, which caused that somebody else try to re-allocate prof_buffer despite somebody has already allocated prof_buffer. Fix this by using serialization. Reported-by: syzbot <syzbot+b1a83ab2a9eb9321fbdd@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=b1a83ab2a9eb9321fbdd Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Tested-by: syzbot <syzbot+b1a83ab2a9eb9321fbdd@syzkaller.appspotmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
327 lines
7.6 KiB
C
327 lines
7.6 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* kernel/ksysfs.c - sysfs attributes in /sys/kernel, which
|
|
* are not related to any other subsystem
|
|
*
|
|
* Copyright (C) 2004 Kay Sievers <kay.sievers@vrfy.org>
|
|
*/
|
|
|
|
#include <asm/byteorder.h>
|
|
#include <linux/kobject.h>
|
|
#include <linux/string.h>
|
|
#include <linux/sysfs.h>
|
|
#include <linux/export.h>
|
|
#include <linux/init.h>
|
|
#include <linux/kexec.h>
|
|
#include <linux/profile.h>
|
|
#include <linux/stat.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/capability.h>
|
|
#include <linux/compiler.h>
|
|
|
|
#include <linux/rcupdate.h> /* rcu_expedited and rcu_normal */
|
|
|
|
#if defined(__LITTLE_ENDIAN)
|
|
#define CPU_BYTEORDER_STRING "little"
|
|
#elif defined(__BIG_ENDIAN)
|
|
#define CPU_BYTEORDER_STRING "big"
|
|
#else
|
|
#error Unknown byteorder
|
|
#endif
|
|
|
|
#define KERNEL_ATTR_RO(_name) \
|
|
static struct kobj_attribute _name##_attr = __ATTR_RO(_name)
|
|
|
|
#define KERNEL_ATTR_RW(_name) \
|
|
static struct kobj_attribute _name##_attr = __ATTR_RW(_name)
|
|
|
|
/* current uevent sequence number */
|
|
static ssize_t uevent_seqnum_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%llu\n", (u64)atomic64_read(&uevent_seqnum));
|
|
}
|
|
KERNEL_ATTR_RO(uevent_seqnum);
|
|
|
|
/* cpu byteorder */
|
|
static ssize_t cpu_byteorder_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%s\n", CPU_BYTEORDER_STRING);
|
|
}
|
|
KERNEL_ATTR_RO(cpu_byteorder);
|
|
|
|
/* address bits */
|
|
static ssize_t address_bits_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%zu\n", sizeof(void *) * 8 /* CHAR_BIT */);
|
|
}
|
|
KERNEL_ATTR_RO(address_bits);
|
|
|
|
#ifdef CONFIG_UEVENT_HELPER
|
|
/* uevent helper program, used during early boot */
|
|
static ssize_t uevent_helper_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%s\n", uevent_helper);
|
|
}
|
|
static ssize_t uevent_helper_store(struct kobject *kobj,
|
|
struct kobj_attribute *attr,
|
|
const char *buf, size_t count)
|
|
{
|
|
if (count+1 > UEVENT_HELPER_PATH_LEN)
|
|
return -ENOENT;
|
|
memcpy(uevent_helper, buf, count);
|
|
uevent_helper[count] = '\0';
|
|
if (count && uevent_helper[count-1] == '\n')
|
|
uevent_helper[count-1] = '\0';
|
|
return count;
|
|
}
|
|
KERNEL_ATTR_RW(uevent_helper);
|
|
#endif
|
|
|
|
#ifdef CONFIG_PROFILING
|
|
static ssize_t profiling_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", prof_on);
|
|
}
|
|
static ssize_t profiling_store(struct kobject *kobj,
|
|
struct kobj_attribute *attr,
|
|
const char *buf, size_t count)
|
|
{
|
|
int ret;
|
|
static DEFINE_MUTEX(lock);
|
|
|
|
/*
|
|
* We need serialization, for profile_setup() initializes prof_on
|
|
* value and profile_init() must not reallocate prof_buffer after
|
|
* once allocated.
|
|
*/
|
|
guard(mutex)(&lock);
|
|
if (prof_on)
|
|
return -EEXIST;
|
|
/*
|
|
* This eventually calls into get_option() which
|
|
* has a ton of callers and is not const. It is
|
|
* easiest to cast it away here.
|
|
*/
|
|
profile_setup((char *)buf);
|
|
ret = profile_init();
|
|
if (ret)
|
|
return ret;
|
|
ret = create_proc_profile();
|
|
if (ret)
|
|
return ret;
|
|
return count;
|
|
}
|
|
KERNEL_ATTR_RW(profiling);
|
|
#endif
|
|
|
|
#ifdef CONFIG_KEXEC_CORE
|
|
static ssize_t kexec_loaded_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", !!kexec_image);
|
|
}
|
|
KERNEL_ATTR_RO(kexec_loaded);
|
|
|
|
#ifdef CONFIG_CRASH_DUMP
|
|
static ssize_t kexec_crash_loaded_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", kexec_crash_loaded());
|
|
}
|
|
KERNEL_ATTR_RO(kexec_crash_loaded);
|
|
|
|
static ssize_t kexec_crash_size_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
ssize_t size = crash_get_memory_size();
|
|
|
|
if (size < 0)
|
|
return size;
|
|
|
|
return sysfs_emit(buf, "%zd\n", size);
|
|
}
|
|
static ssize_t kexec_crash_size_store(struct kobject *kobj,
|
|
struct kobj_attribute *attr,
|
|
const char *buf, size_t count)
|
|
{
|
|
unsigned long cnt;
|
|
int ret;
|
|
|
|
if (kstrtoul(buf, 0, &cnt))
|
|
return -EINVAL;
|
|
|
|
ret = crash_shrink_memory(cnt);
|
|
return ret < 0 ? ret : count;
|
|
}
|
|
KERNEL_ATTR_RW(kexec_crash_size);
|
|
|
|
#endif /* CONFIG_CRASH_DUMP*/
|
|
#endif /* CONFIG_KEXEC_CORE */
|
|
|
|
#ifdef CONFIG_VMCORE_INFO
|
|
|
|
static ssize_t vmcoreinfo_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
phys_addr_t vmcore_base = paddr_vmcoreinfo_note();
|
|
return sysfs_emit(buf, "%pa %x\n", &vmcore_base,
|
|
(unsigned int)VMCOREINFO_NOTE_SIZE);
|
|
}
|
|
KERNEL_ATTR_RO(vmcoreinfo);
|
|
|
|
#ifdef CONFIG_CRASH_HOTPLUG
|
|
static ssize_t crash_elfcorehdr_size_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
unsigned int sz = crash_get_elfcorehdr_size();
|
|
|
|
return sysfs_emit(buf, "%u\n", sz);
|
|
}
|
|
KERNEL_ATTR_RO(crash_elfcorehdr_size);
|
|
|
|
#endif
|
|
|
|
#endif /* CONFIG_VMCORE_INFO */
|
|
|
|
/* whether file capabilities are enabled */
|
|
static ssize_t fscaps_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", file_caps_enabled);
|
|
}
|
|
KERNEL_ATTR_RO(fscaps);
|
|
|
|
#ifndef CONFIG_TINY_RCU
|
|
int rcu_expedited;
|
|
static ssize_t rcu_expedited_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", READ_ONCE(rcu_expedited));
|
|
}
|
|
static ssize_t rcu_expedited_store(struct kobject *kobj,
|
|
struct kobj_attribute *attr,
|
|
const char *buf, size_t count)
|
|
{
|
|
if (kstrtoint(buf, 0, &rcu_expedited))
|
|
return -EINVAL;
|
|
|
|
return count;
|
|
}
|
|
KERNEL_ATTR_RW(rcu_expedited);
|
|
|
|
int rcu_normal;
|
|
static ssize_t rcu_normal_show(struct kobject *kobj,
|
|
struct kobj_attribute *attr, char *buf)
|
|
{
|
|
return sysfs_emit(buf, "%d\n", READ_ONCE(rcu_normal));
|
|
}
|
|
static ssize_t rcu_normal_store(struct kobject *kobj,
|
|
struct kobj_attribute *attr,
|
|
const char *buf, size_t count)
|
|
{
|
|
if (kstrtoint(buf, 0, &rcu_normal))
|
|
return -EINVAL;
|
|
|
|
return count;
|
|
}
|
|
KERNEL_ATTR_RW(rcu_normal);
|
|
#endif /* #ifndef CONFIG_TINY_RCU */
|
|
|
|
/*
|
|
* Make /sys/kernel/notes give the raw contents of our kernel .notes section.
|
|
*/
|
|
extern const void __start_notes;
|
|
extern const void __stop_notes;
|
|
#define notes_size (&__stop_notes - &__start_notes)
|
|
|
|
static ssize_t notes_read(struct file *filp, struct kobject *kobj,
|
|
struct bin_attribute *bin_attr,
|
|
char *buf, loff_t off, size_t count)
|
|
{
|
|
memcpy(buf, &__start_notes + off, count);
|
|
return count;
|
|
}
|
|
|
|
static struct bin_attribute notes_attr __ro_after_init = {
|
|
.attr = {
|
|
.name = "notes",
|
|
.mode = S_IRUGO,
|
|
},
|
|
.read = ¬es_read,
|
|
};
|
|
|
|
struct kobject *kernel_kobj;
|
|
EXPORT_SYMBOL_GPL(kernel_kobj);
|
|
|
|
static struct attribute * kernel_attrs[] = {
|
|
&fscaps_attr.attr,
|
|
&uevent_seqnum_attr.attr,
|
|
&cpu_byteorder_attr.attr,
|
|
&address_bits_attr.attr,
|
|
#ifdef CONFIG_UEVENT_HELPER
|
|
&uevent_helper_attr.attr,
|
|
#endif
|
|
#ifdef CONFIG_PROFILING
|
|
&profiling_attr.attr,
|
|
#endif
|
|
#ifdef CONFIG_KEXEC_CORE
|
|
&kexec_loaded_attr.attr,
|
|
#ifdef CONFIG_CRASH_DUMP
|
|
&kexec_crash_loaded_attr.attr,
|
|
&kexec_crash_size_attr.attr,
|
|
#endif
|
|
#endif
|
|
#ifdef CONFIG_VMCORE_INFO
|
|
&vmcoreinfo_attr.attr,
|
|
#ifdef CONFIG_CRASH_HOTPLUG
|
|
&crash_elfcorehdr_size_attr.attr,
|
|
#endif
|
|
#endif
|
|
#ifndef CONFIG_TINY_RCU
|
|
&rcu_expedited_attr.attr,
|
|
&rcu_normal_attr.attr,
|
|
#endif
|
|
NULL
|
|
};
|
|
|
|
static const struct attribute_group kernel_attr_group = {
|
|
.attrs = kernel_attrs,
|
|
};
|
|
|
|
static int __init ksysfs_init(void)
|
|
{
|
|
int error;
|
|
|
|
kernel_kobj = kobject_create_and_add("kernel", NULL);
|
|
if (!kernel_kobj) {
|
|
error = -ENOMEM;
|
|
goto exit;
|
|
}
|
|
error = sysfs_create_group(kernel_kobj, &kernel_attr_group);
|
|
if (error)
|
|
goto kset_exit;
|
|
|
|
if (notes_size > 0) {
|
|
notes_attr.size = notes_size;
|
|
error = sysfs_create_bin_file(kernel_kobj, ¬es_attr);
|
|
if (error)
|
|
goto group_exit;
|
|
}
|
|
|
|
return 0;
|
|
|
|
group_exit:
|
|
sysfs_remove_group(kernel_kobj, &kernel_attr_group);
|
|
kset_exit:
|
|
kobject_put(kernel_kobj);
|
|
exit:
|
|
return error;
|
|
}
|
|
|
|
core_initcall(ksysfs_init);
|