Commit d6e646ad authored Sep 11, 2017 by Heiko Carstens Committed by Martin Schwidefsky Sep 28, 2017

s390/runtime instrumention: fix possible memory corruption



For PREEMPT enabled kernels the runtime instrumentation (RI) code
contains a possible use-after-free bug. If a task that makes use of RI
exits, it will execute do_exit() while still enabled for preemption.

That function will call exit_thread_runtime_instr() via
exit_thread(). If exit_thread_runtime_instr() gets preempted after the
RI control block of the task has been freed but before the pointer to
it is set to NULL, then save_ri_cb(), called from switch_to(), will
write to already freed memory.

Avoid this and simply disable preemption while freeing the control
block and setting the pointer to NULL.

Fixes: e4b8b3f3 ("s390: add support for runtime instrumentation")
Cc: <stable@vger.kernel.org> # v3.7+
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

parent 8076428f

arch/s390/kernel/runtime_instr.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -49,11 +49,13 @@ void exit_thread_runtime_instr(void)
		{
		struct task_struct *task = current;

		preempt_disable();
		if (!task->thread.ri_cb)
		return;
		disable_runtime_instr();
		kfree(task->thread.ri_cb);
		task->thread.ri_cb = NULL;
		preempt_enable();
		}

		SYSCALL_DEFINE1(s390_runtime_instr, int, command)
		@@ -64,9 +66,7 @@ SYSCALL_DEFINE1(s390_runtime_instr, int, command)
		return -EOPNOTSUPP;

		if (command == S390_RUNTIME_INSTR_STOP) {
		preempt_disable();
		exit_thread_runtime_instr();
		preempt_enable();
		return 0;
		}