Revision 7ff57e98fb78ad94edafbdc7435f2d745e9e6bb5 authored by Fabio M. De Francesco on 23 February 2022, 10:02:52 UTC, committed by Jakub Kicinski on 24 February 2022, 17:09:33 UTC
smc_pnetid_by_table_ib() uses read_lock() and then it calls smc_pnet_apply_ib()
which, in turn, calls mutex_lock(&smc_ib_devices.mutex).
read_lock() disables preemption. Therefore, the code acquires a mutex while in
atomic context and it leads to a SAC bug.
Fix this bug by replacing the rwlock with a mutex.
Reported-and-tested-by: syzbot+4f322a6d84e991c38775@syzkaller.appspotmail.com
Fixes: 64e28b52c7a6 ("net/smc: add pnet table namespace support")
Confirmed-by: Tony Lu <tonylu@linux.alibaba.com>
Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Acked-by: Karsten Graul <kgraul@linux.ibm.com>
Link: https://lore.kernel.org/r/20220223100252.22562-1-fmdefrancesco@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent e13ad14
stmp_device.c
// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (C) 1999 ARM Limited
* Copyright (C) 2000 Deep Blue Solutions Ltd
* Copyright 2006-2007,2010 Freescale Semiconductor, Inc. All Rights Reserved.
* Copyright 2008 Juergen Beisert, kernel@pengutronix.de
* Copyright 2009 Ilya Yanok, Emcraft Systems Ltd, yanok@emcraft.com
* Copyright (C) 2011 Wolfram Sang, Pengutronix e.K.
*/
#include <linux/io.h>
#include <linux/errno.h>
#include <linux/delay.h>
#include <linux/compiler.h>
#include <linux/export.h>
#include <linux/stmp_device.h>
#define STMP_MODULE_CLKGATE (1 << 30)
#define STMP_MODULE_SFTRST (1 << 31)
/*
* Clear the bit and poll it cleared. This is usually called with
* a reset address and mask being either SFTRST(bit 31) or CLKGATE
* (bit 30).
*/
static int stmp_clear_poll_bit(void __iomem *addr, u32 mask)
{
int timeout = 0x400;
writel(mask, addr + STMP_OFFSET_REG_CLR);
udelay(1);
while ((readl(addr) & mask) && --timeout)
/* nothing */;
return !timeout;
}
int stmp_reset_block(void __iomem *reset_addr)
{
int ret;
int timeout = 0x400;
/* clear and poll SFTRST */
ret = stmp_clear_poll_bit(reset_addr, STMP_MODULE_SFTRST);
if (unlikely(ret))
goto error;
/* clear CLKGATE */
writel(STMP_MODULE_CLKGATE, reset_addr + STMP_OFFSET_REG_CLR);
/* set SFTRST to reset the block */
writel(STMP_MODULE_SFTRST, reset_addr + STMP_OFFSET_REG_SET);
udelay(1);
/* poll CLKGATE becoming set */
while ((!(readl(reset_addr) & STMP_MODULE_CLKGATE)) && --timeout)
/* nothing */;
if (unlikely(!timeout))
goto error;
/* clear and poll SFTRST */
ret = stmp_clear_poll_bit(reset_addr, STMP_MODULE_SFTRST);
if (unlikely(ret))
goto error;
/* clear and poll CLKGATE */
ret = stmp_clear_poll_bit(reset_addr, STMP_MODULE_CLKGATE);
if (unlikely(ret))
goto error;
return 0;
error:
pr_err("%s(%p): module reset timeout\n", __func__, reset_addr);
return -ETIMEDOUT;
}
EXPORT_SYMBOL(stmp_reset_block);
Computing file changes ...
