Home Explore Help
Register Sign In
Apq
/
pve-edge-kernel
mirror of https://github.com/fabianishere/pve-edge-kernel.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 633c5ed17f
Branches Tags
pve-edge-kernel
/
patches
/
kernel
/
0126-locking-barriers-Convert-users-of-lockless_dereferen.patch

0126-locking-barriers-Convert-users-of-lockless_dereferen.patch 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324 
  1. From 9d02a406fe5f64f282832e7d0ab8fcd2631fc15a Mon Sep 17 00:00:00 2001
    2. 

  2. From: Will Deacon <[email protected]>
    3. 

  3. Date: Tue, 24 Oct 2017 11:22:48 +0100
    4. 

  4. Subject: [PATCH 126/242] locking/barriers: Convert users of
    5. 

  5.  lockless_dereference() to READ_ONCE()
    6. 

  6. MIME-Version: 1.0
    7. 

  7. Content-Type: text/plain; charset=UTF-8
    8. 

  8. Content-Transfer-Encoding: 8bit
    9. 

  9. 

  10. CVE-2017-5754
    11. 

  11. 

  12. [ Note, this is a Git cherry-pick of the following commit:
    13. 

  13. 

  14.     506458efaf15 ("locking/barriers: Convert users of lockless_dereference() to READ_ONCE()")
    15. 

  15. 

  16.   ... for easier x86 PTI code testing and back-porting. ]
    17. 

  17. 

  18. READ_ONCE() now has an implicit smp_read_barrier_depends() call, so it
    19. 

  19. can be used instead of lockless_dereference() without any change in
    20. 

  20. semantics.
    21. 

  21. 

  22. Signed-off-by: Will Deacon <[email protected]>
    23. 

  23. Cc: Linus Torvalds <[email protected]>
    24. 

  24. Cc: Paul E. McKenney <[email protected]>
    25. 

  25. Cc: Peter Zijlstra <[email protected]>
    26. 

  26. Cc: Thomas Gleixner <[email protected]>
    27. 

  27. Link: http://lkml.kernel.org/r/[email protected]
    28. 

  28. Signed-off-by: Ingo Molnar <[email protected]>
    29. 

  29. (cherry picked from commit 3382290ed2d5e275429cef510ab21889d3ccd164)
    30. 

  30. Signed-off-by: Andy Whitcroft <[email protected]>
    31. 

  31. Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
    32. 

  32. (cherry picked from commit 7252704bfd83e951d00ec75526ed2bf64a7f6ee1)
    33. 

  33. Signed-off-by: Fabian Grünbichler <[email protected]>
    34. 

  34. ---
    35. 

  35.  arch/x86/include/asm/mmu_context.h |  4 ++--
    36. 

  36.  fs/overlayfs/ovl_entry.h           |  2 +-
    37. 

  37.  include/linux/rculist.h            |  4 ++--
    38. 

  38.  include/linux/rcupdate.h           |  4 ++--
    39. 

  39.  mm/slab.h                          |  2 +-
    40. 

  40.  arch/x86/events/core.c             |  2 +-
    41. 

  41.  arch/x86/kernel/ldt.c              |  2 +-
    42. 

  42.  drivers/md/dm-mpath.c              | 20 ++++++++++----------
    43. 

  43.  fs/dcache.c                        |  4 ++--
    44. 

  44.  fs/overlayfs/readdir.c             |  2 +-
    45. 

  45.  kernel/events/core.c               |  4 ++--
    46. 

  46.  kernel/seccomp.c                   |  2 +-
    47. 

  47.  kernel/task_work.c                 |  2 +-
    48. 

  48.  13 files changed, 27 insertions(+), 27 deletions(-)
    49. 

  49. 

  50. diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
    51. 

  51. index 3c856a15b98e..efc530642f7d 100644
    52. 

  52. --- a/arch/x86/include/asm/mmu_context.h
    53. 

  53. +++ b/arch/x86/include/asm/mmu_context.h
    54. 

  54. @@ -72,8 +72,8 @@ static inline void load_mm_ldt(struct mm_struct *mm)
    55. 

  55.  #ifdef CONFIG_MODIFY_LDT_SYSCALL
    56. 

  56.  	struct ldt_struct *ldt;
    57. 

  57.  
    58. 

  58. -	/* lockless_dereference synchronizes with smp_store_release */
    59. 

  59. -	ldt = lockless_dereference(mm->context.ldt);
    60. 

  60. +	/* READ_ONCE synchronizes with smp_store_release */
    61. 

  61. +	ldt = READ_ONCE(mm->context.ldt);
    62. 

  62.  
    63. 

  63.  	/*
    64. 

  64.  	 * Any change to mm->context.ldt is followed by an IPI to all
    65. 

  65. diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
    66. 

  66. index 25d9b5adcd42..36b49bd09264 100644
    67. 

  67. --- a/fs/overlayfs/ovl_entry.h
    68. 

  68. +++ b/fs/overlayfs/ovl_entry.h
    69. 

  69. @@ -77,5 +77,5 @@ static inline struct ovl_inode *OVL_I(struct inode *inode)
    70. 

  70.  
    71. 

  71.  static inline struct dentry *ovl_upperdentry_dereference(struct ovl_inode *oi)
    72. 

  72.  {
    73. 

  73. -	return lockless_dereference(oi->__upperdentry);
    74. 

  74. +	return READ_ONCE(oi->__upperdentry);
    75. 

  75.  }
    76. 

  76. diff --git a/include/linux/rculist.h b/include/linux/rculist.h
    77. 

  77. index b1fd8bf85fdc..3a2bb7d8ed4d 100644
    78. 

  78. --- a/include/linux/rculist.h
    79. 

  79. +++ b/include/linux/rculist.h
    80. 

  80. @@ -274,7 +274,7 @@ static inline void list_splice_tail_init_rcu(struct list_head *list,
    81. 

  81.   * primitives such as list_add_rcu() as long as it's guarded by rcu_read_lock().
    82. 

  82.   */
    83. 

  83.  #define list_entry_rcu(ptr, type, member) \
    84. 

  84. -	container_of(lockless_dereference(ptr), type, member)
    85. 

  85. +	container_of(READ_ONCE(ptr), type, member)
    86. 

  86.  
    87. 

  87.  /**
    88. 

  88.   * Where are list_empty_rcu() and list_first_entry_rcu()?
    89. 

  89. @@ -367,7 +367,7 @@ static inline void list_splice_tail_init_rcu(struct list_head *list,
    90. 

  90.   * example is when items are added to the list, but never deleted.
    91. 

  91.   */
    92. 

  92.  #define list_entry_lockless(ptr, type, member) \
    93. 

  93. -	container_of((typeof(ptr))lockless_dereference(ptr), type, member)
    94. 

  94. +	container_of((typeof(ptr))READ_ONCE(ptr), type, member)
    95. 

  95.  
    96. 

  96.  /**
    97. 

  97.   * list_for_each_entry_lockless - iterate over rcu list of given type
    98. 

  98. diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
    99. 

  99. index f816fc72b51e..ae494eb7b401 100644
    100. 

  100. --- a/include/linux/rcupdate.h
    101. 

  101. +++ b/include/linux/rcupdate.h
    102. 

  102. @@ -341,7 +341,7 @@ static inline void rcu_preempt_sleep_check(void) { }
    103. 

  103.  #define __rcu_dereference_check(p, c, space) \
    104. 

  104.  ({ \
    105. 

  105.  	/* Dependency order vs. p above. */ \
    106. 

  106. -	typeof(*p) *________p1 = (typeof(*p) *__force)lockless_dereference(p); \
    107. 

  107. +	typeof(*p) *________p1 = (typeof(*p) *__force)READ_ONCE(p); \
    108. 

  108.  	RCU_LOCKDEP_WARN(!(c), "suspicious rcu_dereference_check() usage"); \
    109. 

  109.  	rcu_dereference_sparse(p, space); \
    110. 

  110.  	((typeof(*p) __force __kernel *)(________p1)); \
    111. 

  111. @@ -355,7 +355,7 @@ static inline void rcu_preempt_sleep_check(void) { }
    112. 

  112.  #define rcu_dereference_raw(p) \
    113. 

  113.  ({ \
    114. 

  114.  	/* Dependency order vs. p above. */ \
    115. 

  115. -	typeof(p) ________p1 = lockless_dereference(p); \
    116. 

  116. +	typeof(p) ________p1 = READ_ONCE(p); \
    117. 

  117.  	((typeof(*p) __force __kernel *)(________p1)); \
    118. 

  118.  })
    119. 

  119.  
    120. 

  120. diff --git a/mm/slab.h b/mm/slab.h
    121. 

  121. index 6885e1192ec5..494cccef822a 100644
    122. 

  122. --- a/mm/slab.h
    123. 

  123. +++ b/mm/slab.h
    124. 

  124. @@ -257,7 +257,7 @@ cache_from_memcg_idx(struct kmem_cache *s, int idx)
    125. 

  125.  	 * memcg_caches issues a write barrier to match this (see
    126. 

  126.  	 * memcg_create_kmem_cache()).
    127. 

  127.  	 */
    128. 

  128. -	cachep = lockless_dereference(arr->entries[idx]);
    129. 

  129. +	cachep = READ_ONCE(arr->entries[idx]);
    130. 

  130.  	rcu_read_unlock();
    131. 

  131.  
    132. 

  132.  	return cachep;
    133. 

  133. diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
    134. 

  134. index 939050169d12..18685de61288 100644
    135. 

  135. --- a/arch/x86/events/core.c
    136. 

  136. +++ b/arch/x86/events/core.c
    137. 

  137. @@ -2336,7 +2336,7 @@ static unsigned long get_segment_base(unsigned int segment)
    138. 

  138.  		struct ldt_struct *ldt;
    139. 

  139.  
    140. 

  140.  		/* IRQs are off, so this synchronizes with smp_store_release */
    141. 

  141. -		ldt = lockless_dereference(current->active_mm->context.ldt);
    142. 

  142. +		ldt = READ_ONCE(current->active_mm->context.ldt);
    143. 

  143.  		if (!ldt || idx >= ldt->nr_entries)
    144. 

  144.  			return 0;
    145. 

  145.  
    146. 

  146. diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
    147. 

  147. index 0402d44deb4d..b8be2413cb74 100644
    148. 

  148. --- a/arch/x86/kernel/ldt.c
    149. 

  149. +++ b/arch/x86/kernel/ldt.c
    150. 

  150. @@ -102,7 +102,7 @@ static void finalize_ldt_struct(struct ldt_struct *ldt)
    151. 

  151.  static void install_ldt(struct mm_struct *current_mm,
    152. 

  152.  			struct ldt_struct *ldt)
    153. 

  153.  {
    154. 

  154. -	/* Synchronizes with lockless_dereference in load_mm_ldt. */
    155. 

  155. +	/* Synchronizes with READ_ONCE in load_mm_ldt. */
    156. 

  156.  	smp_store_release(&current_mm->context.ldt, ldt);
    157. 

  157.  
    158. 

  158.  	/* Activate the LDT for all CPUs using current_mm. */
    159. 

  159. diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c
    160. 

  160. index d24e4b05f5da..731b7ffc7e37 100644
    161. 

  161. --- a/drivers/md/dm-mpath.c
    162. 

  162. +++ b/drivers/md/dm-mpath.c
    163. 

  163. @@ -366,7 +366,7 @@ static struct pgpath *choose_path_in_pg(struct multipath *m,
    164. 

  164.  
    165. 

  165.  	pgpath = path_to_pgpath(path);
    166. 

  166.  
    167. 

  167. -	if (unlikely(lockless_dereference(m->current_pg) != pg)) {
    168. 

  168. +	if (unlikely(READ_ONCE(m->current_pg) != pg)) {
    169. 

  169.  		/* Only update current_pgpath if pg changed */
    170. 

  170.  		spin_lock_irqsave(&m->lock, flags);
    171. 

  171.  		m->current_pgpath = pgpath;
    172. 

  172. @@ -390,7 +390,7 @@ static struct pgpath *choose_pgpath(struct multipath *m, size_t nr_bytes)
    173. 

  173.  	}
    174. 

  174.  
    175. 

  175.  	/* Were we instructed to switch PG? */
    176. 

  176. -	if (lockless_dereference(m->next_pg)) {
    177. 

  177. +	if (READ_ONCE(m->next_pg)) {
    178. 

  178.  		spin_lock_irqsave(&m->lock, flags);
    179. 

  179.  		pg = m->next_pg;
    180. 

  180.  		if (!pg) {
    181. 

  181. @@ -406,7 +406,7 @@ static struct pgpath *choose_pgpath(struct multipath *m, size_t nr_bytes)
    182. 

  182.  
    183. 

  183.  	/* Don't change PG until it has no remaining paths */
    184. 

  184.  check_current_pg:
    185. 

  185. -	pg = lockless_dereference(m->current_pg);
    186. 

  186. +	pg = READ_ONCE(m->current_pg);
    187. 

  187.  	if (pg) {
    188. 

  188.  		pgpath = choose_path_in_pg(m, pg, nr_bytes);
    189. 

  189.  		if (!IS_ERR_OR_NULL(pgpath))
    190. 

  190. @@ -473,7 +473,7 @@ static int multipath_clone_and_map(struct dm_target *ti, struct request *rq,
    191. 

  191.  	struct request *clone;
    192. 

  192.  
    193. 

  193.  	/* Do we need to select a new pgpath? */
    194. 

  194. -	pgpath = lockless_dereference(m->current_pgpath);
    195. 

  195. +	pgpath = READ_ONCE(m->current_pgpath);
    196. 

  196.  	if (!pgpath || !test_bit(MPATHF_QUEUE_IO, &m->flags))
    197. 

  197.  		pgpath = choose_pgpath(m, nr_bytes);
    198. 

  198.  
    199. 

  199. @@ -535,7 +535,7 @@ static int __multipath_map_bio(struct multipath *m, struct bio *bio, struct dm_m
    200. 

  200.  	bool queue_io;
    201. 

  201.  
    202. 

  202.  	/* Do we need to select a new pgpath? */
    203. 

  203. -	pgpath = lockless_dereference(m->current_pgpath);
    204. 

  204. +	pgpath = READ_ONCE(m->current_pgpath);
    205. 

  205.  	queue_io = test_bit(MPATHF_QUEUE_IO, &m->flags);
    206. 

  206.  	if (!pgpath || !queue_io)
    207. 

  207.  		pgpath = choose_pgpath(m, nr_bytes);
    208. 

  208. @@ -1799,7 +1799,7 @@ static int multipath_prepare_ioctl(struct dm_target *ti,
    209. 

  209.  	struct pgpath *current_pgpath;
    210. 

  210.  	int r;
    211. 

  211.  
    212. 

  212. -	current_pgpath = lockless_dereference(m->current_pgpath);
    213. 

  213. +	current_pgpath = READ_ONCE(m->current_pgpath);
    214. 

  214.  	if (!current_pgpath)
    215. 

  215.  		current_pgpath = choose_pgpath(m, 0);
    216. 

  216.  
    217. 

  217. @@ -1821,7 +1821,7 @@ static int multipath_prepare_ioctl(struct dm_target *ti,
    218. 

  218.  	}
    219. 

  219.  
    220. 

  220.  	if (r == -ENOTCONN) {
    221. 

  221. -		if (!lockless_dereference(m->current_pg)) {
    222. 

  222. +		if (!READ_ONCE(m->current_pg)) {
    223. 

  223.  			/* Path status changed, redo selection */
    224. 

  224.  			(void) choose_pgpath(m, 0);
    225. 

  225.  		}
    226. 

  226. @@ -1890,9 +1890,9 @@ static int multipath_busy(struct dm_target *ti)
    227. 

  227.  		return (m->queue_mode != DM_TYPE_MQ_REQUEST_BASED);
    228. 

  228.  
    229. 

  229.  	/* Guess which priority_group will be used at next mapping time */
    230. 

  230. -	pg = lockless_dereference(m->current_pg);
    231. 

  231. -	next_pg = lockless_dereference(m->next_pg);
    232. 

  232. -	if (unlikely(!lockless_dereference(m->current_pgpath) && next_pg))
    233. 

  233. +	pg = READ_ONCE(m->current_pg);
    234. 

  234. +	next_pg = READ_ONCE(m->next_pg);
    235. 

  235. +	if (unlikely(!READ_ONCE(m->current_pgpath) && next_pg))
    236. 

  236.  		pg = next_pg;
    237. 

  237.  
    238. 

  238.  	if (!pg) {
    239. 

  239. diff --git a/fs/dcache.c b/fs/dcache.c
    240. 

  240. index 3203470c59c2..ccc2bcdcfdfb 100644
    241. 

  241. --- a/fs/dcache.c
    242. 

  242. +++ b/fs/dcache.c
    243. 

  243. @@ -231,7 +231,7 @@ static inline int dentry_cmp(const struct dentry *dentry, const unsigned char *c
    244. 

  244.  {
    245. 

  245.  	/*
    246. 

  246.  	 * Be careful about RCU walk racing with rename:
    247. 

  247. -	 * use 'lockless_dereference' to fetch the name pointer.
    248. 

  248. +	 * use 'READ_ONCE' to fetch the name pointer.
    249. 

  249.  	 *
    250. 

  250.  	 * NOTE! Even if a rename will mean that the length
    251. 

  251.  	 * was not loaded atomically, we don't care. The
    252. 

  252. @@ -245,7 +245,7 @@ static inline int dentry_cmp(const struct dentry *dentry, const unsigned char *c
    253. 

  253.  	 * early because the data cannot match (there can
    254. 

  254.  	 * be no NUL in the ct/tcount data)
    255. 

  255.  	 */
    256. 

  256. -	const unsigned char *cs = lockless_dereference(dentry->d_name.name);
    257. 

  257. +	const unsigned char *cs = READ_ONCE(dentry->d_name.name);
    258. 

  258.  
    259. 

  259.  	return dentry_string_cmp(cs, ct, tcount);
    260. 

  260.  }
    261. 

  261. diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c
    262. 

  262. index 3ff960372cb9..7920a3f62c19 100644
    263. 

  263. --- a/fs/overlayfs/readdir.c
    264. 

  264. +++ b/fs/overlayfs/readdir.c
    265. 

  265. @@ -440,7 +440,7 @@ static int ovl_dir_fsync(struct file *file, loff_t start, loff_t end,
    266. 

  266.  	if (!od->is_upper && OVL_TYPE_UPPER(ovl_path_type(dentry))) {
    267. 

  267.  		struct inode *inode = file_inode(file);
    268. 

  268.  
    269. 

  269. -		realfile = lockless_dereference(od->upperfile);
    270. 

  270. +		realfile = READ_ONCE(od->upperfile);
    271. 

  271.  		if (!realfile) {
    272. 

  272.  			struct path upperpath;
    273. 

  273.  
    274. 

  274. diff --git a/kernel/events/core.c b/kernel/events/core.c
    275. 

  275. index 5d4398d1fa19..9f51738bf32e 100644
    276. 

  276. --- a/kernel/events/core.c
    277. 

  277. +++ b/kernel/events/core.c
    278. 

  278. @@ -4221,7 +4221,7 @@ static void perf_remove_from_owner(struct perf_event *event)
    279. 

  279.  	 * indeed free this event, otherwise we need to serialize on
    280. 

  280.  	 * owner->perf_event_mutex.
    281. 

  281.  	 */
    282. 

  282. -	owner = lockless_dereference(event->owner);
    283. 

  283. +	owner = READ_ONCE(event->owner);
    284. 

  284.  	if (owner) {
    285. 

  285.  		/*
    286. 

  286.  		 * Since delayed_put_task_struct() also drops the last
    287. 

  287. @@ -4318,7 +4318,7 @@ int perf_event_release_kernel(struct perf_event *event)
    288. 

  288.  		 * Cannot change, child events are not migrated, see the
    289. 

  289.  		 * comment with perf_event_ctx_lock_nested().
    290. 

  290.  		 */
    291. 

  291. -		ctx = lockless_dereference(child->ctx);
    292. 

  292. +		ctx = READ_ONCE(child->ctx);
    293. 

  293.  		/*
    294. 

  294.  		 * Since child_mutex nests inside ctx::mutex, we must jump
    295. 

  295.  		 * through hoops. We start by grabbing a reference on the ctx.
    296. 

  296. diff --git a/kernel/seccomp.c b/kernel/seccomp.c
    297. 

  297. index 34aced9ff3ff..3fd2c4b23697 100644
    298. 

  298. --- a/kernel/seccomp.c
    299. 

  299. +++ b/kernel/seccomp.c
    300. 

  300. @@ -188,7 +188,7 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
    301. 

  301.  	u32 ret = SECCOMP_RET_ALLOW;
    302. 

  302.  	/* Make sure cross-thread synced filter points somewhere sane. */
    303. 

  303.  	struct seccomp_filter *f =
    304. 

  304. -			lockless_dereference(current->seccomp.filter);
    305. 

  305. +			READ_ONCE(current->seccomp.filter);
    306. 

  306.  
    307. 

  307.  	/* Ensure unexpected behavior doesn't result in failing open. */
    308. 

  308.  	if (unlikely(WARN_ON(f == NULL)))
    309. 

  309. diff --git a/kernel/task_work.c b/kernel/task_work.c
    310. 

  310. index e056d5429783..0371093a2331 100644
    311. 

  311. --- a/kernel/task_work.c
    312. 

  312. +++ b/kernel/task_work.c
    313. 

  313. @@ -67,7 +67,7 @@ task_work_cancel(struct task_struct *task, task_work_func_t func)
    314. 

  314.  	 * we raced with task_work_run(), *pprev == NULL/exited.
    315. 

  315.  	 */
    316. 

  316.  	raw_spin_lock_irqsave(&task->pi_lock, flags);
    317. 

  317. -	while ((work = lockless_dereference(*pprev))) {
    318. 

  318. +	while ((work = READ_ONCE(*pprev))) {
    319. 

  319.  		if (work->func != func)
    320. 

  320.  			pprev = &work->next;
    321. 

  321.  		else if (cmpxchg(pprev, work, work->next) == work)
    322. 

  322. -- 
    323. 

  323. 2.14.2
    324. 

  324.