From d3cac35cd0a2a987f7559e1829fb0253cea33872 Mon Sep 17 00:00:00 2001 From: Ralf Baechle Date: Wed, 8 Aug 2012 14:57:03 +0200 Subject: MIPS: Fix memory leak in error path of HI16/LO16 relocation handling. Commit 6f5d2e970452b5c86906adcb8e7ad246f535ba39 (lmo) / 477c4b07406357ad93d0e32788dbf3ee814eadaa (kernel.org) [[MIPS: VPE: Free relocation chain on error.] fixed the same issue in the vpe loader in 2009 but back then the same bug in module.c went unfixed. Signed-off-by: Ralf Baechle Reported-by: Akhilesh Kumar --- arch/mips/kernel/module.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'arch/mips/kernel') diff --git a/arch/mips/kernel/module.c b/arch/mips/kernel/module.c index a5066b1c3de3..e5f2f56524ea 100644 --- a/arch/mips/kernel/module.c +++ b/arch/mips/kernel/module.c @@ -146,16 +146,15 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) { unsigned long insnlo = *location; Elf_Addr val, vallo; + struct mips_hi16 *l, *next; /* Sign extend the addend we extract from the lo insn. */ vallo = ((insnlo & 0xffff) ^ 0x8000) - 0x8000; if (mips_hi16_list != NULL) { - struct mips_hi16 *l; l = mips_hi16_list; while (l != NULL) { - struct mips_hi16 *next; unsigned long insn; /* @@ -201,6 +200,12 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) return 0; out_danger: + while (l) { + next = l->next; + kfree(l); + l = next; + } + pr_err("module %s: dangerous R_MIPS_LO16 REL relocation\n", me->name); return -ENOEXEC; -- cgit v1.2.3 From 861667dc82f561e65336ea67f73021b782b4ff74 Mon Sep 17 00:00:00 2001 From: Ralf Baechle Date: Wed, 8 Aug 2012 16:59:43 +0200 Subject: MIPS: Fix race condition in module relocation code. The relocation code was essentially taken from the 2.4 modutils which perform relocation in userspace. In 2.6 relocation of multiple modules may be performed in parallel by the in-kernel loader so the global variable mips_hi16_list won't fly anymore. Fix race by moving it into mod_arch_specific. [ralf@linux-mips.org: folded in Tony's followup fix. Thanks Tony!] Signed-off-by: Ralf Baechle Signed-off-by: Tony Wu Cc: linux-mips@linux-mips.org Patchwork: http://patchwork.linux-mips.org/patch/4189/ --- arch/mips/kernel/module.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'arch/mips/kernel') diff --git a/arch/mips/kernel/module.c b/arch/mips/kernel/module.c index e5f2f56524ea..8e1fb802c3e2 100644 --- a/arch/mips/kernel/module.c +++ b/arch/mips/kernel/module.c @@ -39,8 +39,6 @@ struct mips_hi16 { Elf_Addr value; }; -static struct mips_hi16 *mips_hi16_list; - static LIST_HEAD(dbe_list); static DEFINE_SPINLOCK(dbe_lock); @@ -128,8 +126,8 @@ static int apply_r_mips_hi16_rel(struct module *me, u32 *location, Elf_Addr v) n->addr = (Elf_Addr *)location; n->value = v; - n->next = mips_hi16_list; - mips_hi16_list = n; + n->next = me->arch.r_mips_hi16_list; + me->arch.r_mips_hi16_list = n; return 0; } @@ -151,9 +149,9 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) /* Sign extend the addend we extract from the lo insn. */ vallo = ((insnlo & 0xffff) ^ 0x8000) - 0x8000; - if (mips_hi16_list != NULL) { + if (me->arch.r_mips_hi16_list != NULL) { - l = mips_hi16_list; + l = me->arch.r_mips_hi16_list; while (l != NULL) { unsigned long insn; @@ -187,7 +185,7 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) l = next; } - mips_hi16_list = NULL; + me->arch.r_mips_hi16_list = NULL; } /* @@ -278,6 +276,7 @@ int apply_relocate(Elf_Shdr *sechdrs, const char *strtab, pr_debug("Applying relocate section %u to %u\n", relsec, sechdrs[relsec].sh_info); + me->arch.r_mips_hi16_list = NULL; for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) { /* This is where to make the change */ location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr -- cgit v1.2.3 From c54de490a2e4e74164f747925ff05c00dfa153cd Mon Sep 17 00:00:00 2001 From: Ralf Baechle Date: Tue, 14 Aug 2012 00:34:18 +0200 Subject: MIPS: Module: Deal with malformed HI16/LO16 relocation sequences. In case a series of R_MIPS_HI16 relocations was not followed by an R_MIPS_LO16 relocation we were leaking the hi16 relocation chain. Handle that error and return an error. Signed-off-by: Ralf Baechle --- arch/mips/kernel/module.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) (limited to 'arch/mips/kernel') diff --git a/arch/mips/kernel/module.c b/arch/mips/kernel/module.c index 8e1fb802c3e2..4f8c3cba8c0c 100644 --- a/arch/mips/kernel/module.c +++ b/arch/mips/kernel/module.c @@ -140,19 +140,30 @@ static int apply_r_mips_hi16_rela(struct module *me, u32 *location, Elf_Addr v) return 0; } +static void free_relocation_chain(struct mips_hi16 *l) +{ + struct mips_hi16 *next; + + while (l) { + next = l->next; + kfree(l); + l = next; + } +} + static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) { unsigned long insnlo = *location; + struct mips_hi16 *l; Elf_Addr val, vallo; - struct mips_hi16 *l, *next; /* Sign extend the addend we extract from the lo insn. */ vallo = ((insnlo & 0xffff) ^ 0x8000) - 0x8000; if (me->arch.r_mips_hi16_list != NULL) { - l = me->arch.r_mips_hi16_list; while (l != NULL) { + struct mips_hi16 *next; unsigned long insn; /* @@ -198,11 +209,8 @@ static int apply_r_mips_lo16_rel(struct module *me, u32 *location, Elf_Addr v) return 0; out_danger: - while (l) { - next = l->next; - kfree(l); - l = next; - } + free_relocation_chain(l); + me->arch.r_mips_hi16_list = NULL; pr_err("module %s: dangerous R_MIPS_LO16 REL relocation\n", me->name); @@ -300,6 +308,19 @@ int apply_relocate(Elf_Shdr *sechdrs, const char *strtab, return res; } + /* + * Normally the hi16 list should be deallocated at this point. A + * malformed binary however could contain a series of R_MIPS_HI16 + * relocations not followed by a R_MIPS_LO16 relocation. In that + * case, free up the list and return an error. + */ + if (me->arch.r_mips_hi16_list) { + free_relocation_chain(me->arch.r_mips_hi16_list); + me->arch.r_mips_hi16_list = NULL; + + return -ENOEXEC; + } + return 0; } -- cgit v1.2.3 From cf9bfe55f24973a8f40e2c922a7e82cf09e486fd Mon Sep 17 00:00:00 2001 From: Jayachandran C Date: Tue, 14 Aug 2012 18:56:13 +0530 Subject: MIPS: Synchronize MIPS count one CPU at a time The current implementation of synchronise_count_{master,slave} blocks slave CPUs in early boot until all of them come up. This no longer works because blocking a CPU with interrupts off after notifying the CPU to be online causes problems with the current kernel. Specifically, after the workqueue changes (commit a08489c569dc1 "Pull workqueue changes from Tejun Heo") the CPU_ONLINE notification callback workqueue_cpu_up_callback() will hang on wait_for_completion(&idle_rebind.done), if the slave CPUs are blocked for synchronize_count_slave(). The changes are to update synchronize_count_{master,slave}() to handle one CPU at a time and to call synchronise_count_master() in __cpu_up() so that the CPU_ONLINE notification goes out only after the COP0 COUNT register is synchronized. [ralf@linux-mips.org: This matter only to those few platforms which are using the cp0 counter as their clocksource which are XLP, XLR and MIPS' CMP solution.] Signed-off-by: Jayachandran C Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/4216/ Signed-off-by: Ralf Baechle --- arch/mips/kernel/smp.c | 4 ++-- arch/mips/kernel/sync-r4k.c | 26 +++++++++++--------------- 2 files changed, 13 insertions(+), 17 deletions(-) (limited to 'arch/mips/kernel') diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c index 31637d8c8738..9005bf9fb859 100644 --- a/arch/mips/kernel/smp.c +++ b/arch/mips/kernel/smp.c @@ -130,7 +130,7 @@ asmlinkage __cpuinit void start_secondary(void) cpu_set(cpu, cpu_callin_map); - synchronise_count_slave(); + synchronise_count_slave(cpu); /* * irq will be enabled in ->smp_finish(), enabling it too early @@ -173,7 +173,6 @@ void smp_send_stop(void) void __init smp_cpus_done(unsigned int max_cpus) { mp_ops->cpus_done(); - synchronise_count_master(); } /* called from main before smp_init() */ @@ -206,6 +205,7 @@ int __cpuinit __cpu_up(unsigned int cpu, struct task_struct *tidle) while (!cpu_isset(cpu, cpu_callin_map)) udelay(100); + synchronise_count_master(cpu); return 0; } diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c index 842d55e411fd..7f1eca3858de 100644 --- a/arch/mips/kernel/sync-r4k.c +++ b/arch/mips/kernel/sync-r4k.c @@ -28,12 +28,11 @@ static atomic_t __cpuinitdata count_reference = ATOMIC_INIT(0); #define COUNTON 100 #define NR_LOOPS 5 -void __cpuinit synchronise_count_master(void) +void __cpuinit synchronise_count_master(int cpu) { int i; unsigned long flags; unsigned int initcount; - int nslaves; #ifdef CONFIG_MIPS_MT_SMTC /* @@ -43,8 +42,7 @@ void __cpuinit synchronise_count_master(void) return; #endif - printk(KERN_INFO "Synchronize counters across %u CPUs: ", - num_online_cpus()); + printk(KERN_INFO "Synchronize counters for CPU %u: ", cpu); local_irq_save(flags); @@ -52,7 +50,7 @@ void __cpuinit synchronise_count_master(void) * Notify the slaves that it's time to start */ atomic_set(&count_reference, read_c0_count()); - atomic_set(&count_start_flag, 1); + atomic_set(&count_start_flag, cpu); smp_wmb(); /* Count will be initialised to current timer for all CPU's */ @@ -69,10 +67,9 @@ void __cpuinit synchronise_count_master(void) * two CPUs. */ - nslaves = num_online_cpus()-1; for (i = 0; i < NR_LOOPS; i++) { - /* slaves loop on '!= ncpus' */ - while (atomic_read(&count_count_start) != nslaves) + /* slaves loop on '!= 2' */ + while (atomic_read(&count_count_start) != 1) mb(); atomic_set(&count_count_stop, 0); smp_wmb(); @@ -89,7 +86,7 @@ void __cpuinit synchronise_count_master(void) /* * Wait for all slaves to leave the synchronization point: */ - while (atomic_read(&count_count_stop) != nslaves) + while (atomic_read(&count_count_stop) != 1) mb(); atomic_set(&count_count_start, 0); smp_wmb(); @@ -97,6 +94,7 @@ void __cpuinit synchronise_count_master(void) } /* Arrange for an interrupt in a short while */ write_c0_compare(read_c0_count() + COUNTON); + atomic_set(&count_start_flag, 0); local_irq_restore(flags); @@ -108,11 +106,10 @@ void __cpuinit synchronise_count_master(void) printk("done.\n"); } -void __cpuinit synchronise_count_slave(void) +void __cpuinit synchronise_count_slave(int cpu) { int i; unsigned int initcount; - int ncpus; #ifdef CONFIG_MIPS_MT_SMTC /* @@ -127,16 +124,15 @@ void __cpuinit synchronise_count_slave(void) * so we first wait for the master to say everyone is ready */ - while (!atomic_read(&count_start_flag)) + while (atomic_read(&count_start_flag) != cpu) mb(); /* Count will be initialised to next expire for all CPU's */ initcount = atomic_read(&count_reference); - ncpus = num_online_cpus(); for (i = 0; i < NR_LOOPS; i++) { atomic_inc(&count_count_start); - while (atomic_read(&count_count_start) != ncpus) + while (atomic_read(&count_count_start) != 2) mb(); /* @@ -146,7 +142,7 @@ void __cpuinit synchronise_count_slave(void) write_c0_count(initcount); atomic_inc(&count_count_stop); - while (atomic_read(&count_count_stop) != ncpus) + while (atomic_read(&count_count_stop) != 2) mb(); } /* Arrange for an interrupt in a short while */ -- cgit v1.2.3