From: Xiaoming Ni nixiaoming@huawei.com
mainline inclusion from mainline-v5.5-rc1 commit 1a50cb80f219c44adb6265f5071b81fc3c1deced category: bugfix bugzilla: NA CVE: NA
---------------------------------------------
[ Upstream commit 1a50cb80f219c44adb6265f5071b81fc3c1deced ]
Registering the same notifier to a hook repeatedly can cause the hook list to form a ring or lose other members of the list.
case1: An infinite loop in notifier_chain_register() can cause soft lockup atomic_notifier_chain_register(&test_notifier_list, &test1); atomic_notifier_chain_register(&test_notifier_list, &test1); atomic_notifier_chain_register(&test_notifier_list, &test2);
case2: An infinite loop in notifier_chain_register() can cause soft lockup atomic_notifier_chain_register(&test_notifier_list, &test1); atomic_notifier_chain_register(&test_notifier_list, &test1); atomic_notifier_call_chain(&test_notifier_list, 0, NULL);
case3: lose other hook test2 atomic_notifier_chain_register(&test_notifier_list, &test1); atomic_notifier_chain_register(&test_notifier_list, &test2); atomic_notifier_chain_register(&test_notifier_list, &test1);
case4: Unregister returns 0, but the hook is still in the linked list, and it is not really registered. If you call notifier_call_chain after ko is unloaded, it will trigger oops.
If the system is configured with softlockup_panic and the same hook is repeatedly registered on the panic_notifier_list, it will cause a loop panic.
Add a check in notifier_chain_register(), intercepting duplicate registrations to avoid infinite loops
Link: http://lkml.kernel.org/r/1568861888-34045-2-git-send-email-nixiaoming@huawei... Signed-off-by: Xiaoming Ni nixiaoming@huawei.com Reviewed-by: Vasily Averin vvs@virtuozzo.com Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Alexey Dobriyan adobriyan@gmail.com Cc: Anna Schumaker anna.schumaker@netapp.com Cc: Arjan van de Ven arjan@linux.intel.com Cc: J. Bruce Fields bfields@fieldses.org Cc: Chuck Lever chuck.lever@oracle.com Cc: David S. Miller davem@davemloft.net Cc: Jeff Layton jlayton@kernel.org Cc: Andy Lutomirski luto@kernel.org Cc: Ingo Molnar mingo@kernel.org Cc: Nadia Derbey Nadia.Derbey@bull.net Cc: "Paul E. McKenney" paulmck@kernel.org Cc: Sam Protsenko semen.protsenko@linaro.org Cc: Alan Stern stern@rowland.harvard.edu Cc: Thomas Gleixner tglx@linutronix.de Cc: Trond Myklebust trond.myklebust@hammerspace.com Cc: Viresh Kumar viresh.kumar@linaro.org Cc: Xiaoming Ni nixiaoming@huawei.com Cc: YueHaibing yuehaibing@huawei.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ding Tianhong dingtianhong@huawei.com Reviewed-by: Xie XiuQi xiexiuqi@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- kernel/notifier.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/kernel/notifier.c b/kernel/notifier.c index 6196af8a8223..c6de38836f50 100644 --- a/kernel/notifier.c +++ b/kernel/notifier.c @@ -22,6 +22,11 @@ static int notifier_chain_register(struct notifier_block **nl, struct notifier_block *n) { while ((*nl) != NULL) { + if (unlikely((*nl) == n)) { + WARN(1, "double register detected"); + return 0; + } + if (n->priority > (*nl)->priority) break; nl = &((*nl)->next);