WSL2-Linux-Kernel/lib
Thomas Gleixner 500ffa58e7 debugobject: Prevent init race with static objects
[ Upstream commit 63a759694e ]

Statically initialized objects are usually not initialized via the init()
function of the subsystem. They are special cased and the subsystem
provides a function to validate whether an object which is not yet tracked
by debugobjects is statically initialized. This means the object is started
to be tracked on first use, e.g. activation.

This works perfectly fine, unless there are two concurrent operations on
that object. Schspa decoded the problem:

T0 	          	    	    T1

debug_object_assert_init(addr)
  lock_hash_bucket()
  obj = lookup_object(addr);
  if (!obj) {
  	unlock_hash_bucket();
	- > preemption
			            lock_subsytem_object(addr);
				      activate_object(addr)
				      lock_hash_bucket();
				      obj = lookup_object(addr);
				      if (!obj) {
				    	unlock_hash_bucket();
					if (is_static_object(addr))
					   init_and_track(addr);
				      lock_hash_bucket();
				      obj = lookup_object(addr);
				      obj->state = ACTIVATED;
				      unlock_hash_bucket();

				    subsys function modifies content of addr,
				    so static object detection does
				    not longer work.

				    unlock_subsytem_object(addr);

        if (is_static_object(addr)) <- Fails

	  debugobject emits a warning and invokes the fixup function which
	  reinitializes the already active object in the worst case.

This race exists forever, but was never observed until mod_timer() got a
debug_object_assert_init() added which is outside of the timer base lock
held section right at the beginning of the function to cover the lockless
early exit points too.

Rework the code so that the lookup, the static object check and the
tracking object association happens atomically under the hash bucket
lock. This prevents the issue completely as all callers are serialized on
the hash bucket lock and therefore cannot observe inconsistent state.

Fixes: 3ac7fe5a4a ("infrastructure to debug (dynamic) objects")
Reported-by: syzbot+5093ba19745994288b53@syzkaller.appspotmail.com
Debugged-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Link: https://syzkaller.appspot.com/bug?id=22c8a5938eab640d1c6bcc0e3dc7be519d878462
Link: https://lore.kernel.org/lkml/20230303161906.831686-1-schspa@gmail.com
Link: https://lore.kernel.org/r/87zg7dzgao.ffs@tglx
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-05-11 23:00:25 +09:00
..
842
crypto crypto: lib - remove unneeded selection of XOR_BLOCKS 2022-09-05 10:30:03 +02:00
dim dim: initialize all struct fields 2022-05-18 10:26:49 +02:00
fonts lib/fonts: fix undefined behavior in bit shift for get_default_font 2022-12-31 13:14:02 +01:00
kunit kunit: fix debugfs code to use enum kunit_status, not bool 2022-06-09 10:22:53 +02:00
livepatch selftests/livepatch: better synchronize test_klp_callbacks_busy 2022-08-17 14:24:03 +02:00
lz4 lz4: fix LZ4_decompress_safe_partial read out of bound 2022-04-13 20:59:21 +02:00
lzo
math math: make RATIONAL tristate 2021-09-08 11:50:26 -07:00
mpi lib/mpi: Fix buffer overrun when SG is too long 2023-03-10 09:39:09 +01:00
pldmfw lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
raid6 lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 2022-04-08 14:23:56 +02:00
reed_solomon lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
vdso lib/vdso: use "grep -E" instead of "egrep" 2022-12-02 17:41:08 +01:00
xz lib/xz: Validate the value before assigning it to an enum variable 2021-11-18 19:16:17 +01:00
zlib_deflate
zlib_dfltcc
zlib_inflate lib/zlib_inflate/inffast: check config in C to avoid unused function warning 2021-09-24 16:13:35 -07:00
zstd lib/decompressors: fix spelling mistakes 2021-07-01 11:06:05 -07:00
.gitignore .gitignore: prefix local generated files with a slash 2021-05-02 00:43:35 +09:00
Kconfig crypto: memneq - move into lib/ 2022-06-22 14:22:03 +02:00
Kconfig.debug lib/Kconfig.debug: Allow BTF + DWARF5 with pahole 1.21+ 2023-02-25 12:06:46 +01:00
Kconfig.kasan kasan: fix Kconfig check of CC_HAS_WORKING_NOSANITIZE_ADDRESS 2021-09-24 16:13:34 -07:00
Kconfig.kcsan kcsan: Make strict mode imply interruptible watchers 2021-07-20 13:49:44 -07:00
Kconfig.kfence kfence: default to dynamic branch instead of static keys mode 2021-11-12 15:05:49 +01:00
Kconfig.kgdb
Kconfig.ubsan ubsan: remove CONFIG_UBSAN_OBJECT_SIZE 2022-04-13 20:59:27 +02:00
Makefile crypto: memneq - move into lib/ 2022-06-22 14:22:03 +02:00
argv_split.c
ashldi3.c
ashrdi3.c
asn1_decoder.c
asn1_encoder.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
assoc_array.c assoc_array: Fix BUG_ON during garbage collect 2022-06-06 08:43:37 +02:00
atomic64.c locking/atomic: atomic64: support ARCH_ATOMIC 2021-05-26 13:20:50 +02:00
atomic64_test.c
audit.c
bcd.c
bch.c lib/bch.c: fix a typo in the file bch.c 2021-05-06 19:24:12 -07:00
bitfield_kunit.c
bitmap.c bitmap: extend comment to bitmap_print_bitmask/list_to_buf 2021-08-13 10:27:50 +02:00
bitrev.c
bootconfig.c memblock: introduce saner 'memblock_free_ptr()' interface 2021-09-14 13:23:22 -07:00
bsearch.c
btree.c
bucket_locks.c
bug.c bug: Assign values once in bug_get_file_line() 2021-04-01 09:54:37 +01:00
build_OID_registry
buildid.c kdump: use vmlinux_build_id to simplify 2021-07-08 11:48:22 -07:00
bust_spinlocks.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c lib/cmdline: Export next_arg() for being used in modules 2021-05-05 16:07:40 +02:00
cmdline_kunit.c lib/cmdline_kunit: Remove a cast which are no-longer required 2021-06-23 16:41:41 -06:00
cmpdi2.c
compat_audit.c
cpu_rmap.c
cpumask.c
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc4.c
crc7.c
crc8.c lib: crc8: pointer to data block should be const 2021-05-06 19:24:12 -07:00
crc16.c
crc32.c
crc32defs.h
crc32test.c
crc64.c lib: crc64: fix kernel-doc warning 2021-06-05 08:58:12 -07:00
ctype.c
debug_info.c isystem: ship and use stdarg.h 2021-08-19 09:02:55 +09:00
debug_locks.c locking/lockdep: Improve noinstr vs errors 2021-06-22 13:56:43 +02:00
debugobjects.c debugobject: Prevent init race with static objects 2023-05-11 23:00:25 +09:00
dec_and_lock.c
decompress.c
decompress_bunzip2.c lib/decompressors: fix spelling mistakes 2021-07-01 11:06:05 -07:00
decompress_inflate.c
decompress_unlz4.c lib/decompress_unlz4.c: correctly handle zero-padding around initrds. 2021-07-01 11:06:06 -07:00
decompress_unlzma.c lib: fix inconsistent indenting in process_bit1() 2021-05-06 19:24:12 -07:00
decompress_unlzo.c lib/decompressors: remove set but not used variabled 'level' 2021-07-01 11:06:06 -07:00
decompress_unxz.c lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression 2021-11-18 19:16:17 +01:00
decompress_unzstd.c lib/decompressors: fix spelling mistakes 2021-07-01 11:06:05 -07:00
devmem_is_allowed.c lib: use PFN_PHYS() in devmem_is_allowed() 2021-08-13 14:09:32 -10:00
devres.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
digsig.c
dump_stack.c lib/dump_stack: correct kernel-doc notation 2021-09-08 11:50:26 -07:00
dynamic_debug.c dyndbg: drop EXPORTed dynamic_debug_exec_queries 2022-10-26 12:35:08 +02:00
dynamic_queue_limits.c
earlycpio.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
errname.c printf: fix errname.c list 2023-03-10 09:39:33 +01:00
error-inject.c
errseq.c
extable.c
fault-inject-usercopy.c
fault-inject.c
fdt.c
fdt_addresses.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c lib: add fast path for find_first_*_bit() and find_last_bit() 2021-05-06 19:24:12 -07:00
find_bit_benchmark.c
flex_proportions.c
gen_crc32table.c
gen_crc64table.c
genalloc.c lib/genalloc: add parameter description to fix doc compile warning 2021-05-06 19:24:12 -07:00
generic-radix-tree.c
glob.c
globtest.c
hexdump.c hex2bin: fix access beyond string end 2022-05-09 09:14:30 +02:00
hweight.c
idr.c ida: don't use BUG_ON() for debugging 2022-07-12 16:35:18 +02:00
inflate.c
interval_tree.c
interval_tree_test.c
iomap.c
iomap_copy.c
iommu-helper.c
iov_iter.c fix short copy handling in copy_mc_pipe_to_iter() 2022-08-17 14:22:51 +02:00
irq_poll.c
irq_regs.c
is_single_threaded.c
kasprintf.c isystem: ship and use stdarg.h 2021-08-19 09:02:55 +09:00
kfifo.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
klist.c
kobject.c kobject: Fix slab-out-of-bounds in fill_kobj_path() 2023-03-10 09:39:35 +01:00
kobject_uevent.c kobject_uevent: remove warning in init_uevent_argv() 2021-04-10 11:09:41 +02:00
kstrtox.c Merge branch 'akpm' (patches from Andrew) 2021-07-02 12:08:10 -07:00
kstrtox.h lib: vsprintf: Fix handling of number field widths in vsscanf 2021-05-19 15:05:11 +02:00
libcrc32c.c
linear_ranges.c lib: add linear range get selector within 2021-08-13 18:37:38 +02:00
list-test.c list: test: Add a test for list_is_head() 2022-06-09 10:23:31 +02:00
list_debug.c lib/list_debug.c: Detect uninitialized lists 2022-08-25 11:40:40 +02:00
list_sort.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
llist.c
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-rtmutex.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c lockdep/selftest: Remove wait-type RCU_CALLBACK tests 2021-06-22 16:42:08 +02:00
lockref.c lockref: stop doing cpu_relax in the cmpxchg loop 2023-02-01 08:27:19 +01:00
logic_iomem.c lib/logic_iomem: correct fallback config references 2022-04-13 20:58:59 +02:00
logic_pio.c
lru_cache.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
lshrdi3.c
memcat_p.c
memneq.c crypto: memneq - move into lib/ 2022-06-22 14:22:03 +02:00
memory-notifier-error-inject.c
memregion.c
memweight.c
muldi3.c
net_utils.c
netdev-notifier-error-inject.c
nlattr.c netlink: prevent potential spectre v1 gadgets 2023-02-01 08:27:26 +01:00
nmi_backtrace.c printk: restore flushing of NMI buffers on remote CPUs after NMI backtraces 2021-11-25 09:48:45 +01:00
nodemask.c nodemask: Fix return values to be unsigned 2022-06-14 18:36:24 +02:00
notifier-error-inject.c lib/notifier-error-inject: fix error when writing -errno to debugfs file 2022-12-31 13:14:03 +01:00
notifier-error-inject.h
objagg.c
of-reconfig-notifier-error-inject.c
oid_registry.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
once.c once: add DO_ONCE_SLOW() for sleepable contexts 2022-10-26 12:34:49 +02:00
packing.c net: update NXP copyright text 2021-09-17 13:52:17 +01:00
parman.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
parser.c kernel.h: split out kstrtox() and simple_strtox() to a separate header 2021-07-01 11:06:05 -07:00
pci_iomap.c pci_iounmap'2: Electric Boogaloo: try to make sense of it all 2021-09-19 17:13:35 -07:00
percpu-refcount.c percpu_ref_init(): clean ->percpu_count_ref on failure 2022-06-06 08:43:36 +02:00
percpu_counter.c lib/percpu_counter: tame kernel-doc compile warning 2021-05-06 19:24:12 -07:00
percpu_test.c
plist.c
pm-notifier-error-inject.c
radix-tree.c lib: remove "expecting prototype" kernel-doc warnings 2021-04-16 16:10:37 -07:00
random32.c random: replace custom notifier chain with standard one 2022-05-30 09:29:10 +02:00
ratelimit.c ratelimit: Fix data-races in ___ratelimit(). 2022-08-31 17:16:43 +02:00
rbtree.c
rbtree_test.c
refcount.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
rhashtable.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
sbitmap.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
scatterlist.c Merge branch 'akpm' (patches from Andrew) 2021-09-03 10:08:28 -07:00
seq_buf.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
sg_pool.c lib/scatterlist: Fix wrong update of orig_nents 2021-08-24 19:52:40 -03:00
sg_split.c
sha1.c lib/crypto: sha1: re-roll loops to reduce code size 2022-05-30 09:28:59 +02:00
show_mem.c
siphash.c siphash: use one source of truth for siphash permutations 2022-05-30 09:29:15 +02:00
slub_kunit.c mm/slub, kunit: add a KUnit test for SLUB debugging functionality 2021-06-29 10:53:46 -07:00
smp_processor_id.c lib/smp_processor_id: fix imbalanced instrumentation_end() call 2022-08-17 14:24:08 +02:00
sort.c lib: fix spelling mistakes 2021-07-08 11:48:20 -07:00
stackdepot.c stacktrace: move filter_irq_stacks() to kernel/stacktrace.c 2022-04-13 20:59:28 +02:00
stmp_device.c
string.c string: improve default out-of-line memcmp() implementation 2021-08-30 07:50:56 -07:00
string_helpers.c string: uninline memcpy_and_pad 2021-11-21 13:44:12 +01:00
strncpy_from_user.c
strnlen_user.c
syscall.c sched: Change task_struct::state 2021-06-18 11:43:09 +02:00
test-kstrtox.c
test-string_helpers.c string_helpers: Escape double quotes in escape_special 2021-07-19 11:39:28 +02:00
test_bitmap.c lib: test_bitmap: add bitmap_print_bitmask/list_to_buf test cases 2021-08-13 10:27:49 +02:00
test_bitops.c lib/test: fix spelling mistakes 2021-07-08 11:48:20 -07:00
test_bits.c
test_blackhole_dev.c
test_bpf.c test_bpf: fix incorrect netdev features 2022-08-17 14:23:23 +02:00
test_debug_virtual.c
test_firmware.c test_firmware: fix memory leak in test_firmware_init() 2022-12-31 13:14:29 +01:00
test_fpu.c
test_free_pages.c
test_hash.c
test_hexdump.c
test_hmm.c lib/test_hmm: avoid accessing uninitialized pages 2022-08-17 14:23:43 +02:00
test_hmm_uapi.h mm: selftests for exclusive device memory 2021-07-01 11:06:03 -07:00
test_ida.c
test_kasan.c kasan: test: Silence GCC 12 warnings 2022-08-17 14:23:05 +02:00
test_kasan_module.c kasan: test: avoid corrupting memory in kasan_rcu_uaf 2021-09-03 09:58:15 -07:00
test_kmod.c lib/test: use after free in register_test_dev_kmod() 2022-04-08 14:23:54 +02:00
test_linear_ranges.c
test_list_sort.c lib/test: convert lib/test_list_sort.c to use KUnit 2021-06-25 11:31:03 -06:00
test_lockup.c lib/test_lockup: fix kernel pointer check for separate address spaces 2022-04-08 14:24:01 +02:00
test_memcat_p.c
test_meminit.c lib/test_meminit: destroy cache in kmem_cache_alloc_bulk() test 2022-01-27 11:05:44 +01:00
test_min_heap.c
test_module.c
test_objagg.c
test_overflow.c overflow: Implement size_t saturating arithmetic helpers 2022-12-31 13:14:33 +01:00
test_parman.c
test_printf.c Merge branch 'akpm' (patches from Andrew) 2021-09-08 12:55:35 -07:00
test_rhashtable.c rhashtable: avoid -Wrestrict warning on overlapping sprintf output 2021-03-24 15:16:09 -07:00
test_scanf.c lib/test_scanf: split up number parsing test routines 2021-09-06 11:04:03 -07:00
test_siphash.c
test_sort.c lib/test: convert test_sort.c to use KUnit 2021-09-08 11:50:26 -07:00
test_stackinit.c lib/test_stackinit: Add assigned initializers 2021-08-22 00:21:36 -07:00
test_static_key_base.c
test_static_keys.c
test_string.c lib/test_string.c: allow module removal 2021-07-01 11:06:05 -07:00
test_strscpy.c
test_sysctl.c
test_ubsan.c ubsan: remove CONFIG_UBSAN_OBJECT_SIZE 2022-04-13 20:59:27 +02:00
test_user_copy.c
test_uuid.c
test_vmalloc.c lib/test_vmalloc.c: add a new 'nr_pages' parameter 2021-09-03 09:58:14 -07:00
test_xarray.c XArray: Fix xas_create_range() when multi-order entry present 2022-04-08 14:24:09 +02:00
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
ubsan.c panic: Consolidate open-coded panic_on_warn checks 2023-02-01 08:27:22 +01:00
ubsan.h
ucmpdi2.c
ucs2_string.c
usercopy.c uaccess: Add speculation barrier to copy_from_user() 2023-02-25 12:06:44 +01:00
uuid.c
vsprintf.c random: replace custom notifier chain with standard one 2022-05-30 09:29:10 +02:00
win_minmax.c
xarray.c XArray: Update the LRU list in xas_split() 2022-04-08 14:24:09 +02:00
xxhash.c