Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751181AbdH0CVU (ORCPT <rfc822;w@1wt.eu>);
        Sat, 26 Aug 2017 22:21:20 -0400
Received: from ex13-edg-ou-002.vmware.com ([208.91.0.190]:52098 "EHLO
        EX13-EDG-OU-002.vmware.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1751131AbdH0CVT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 26 Aug 2017 22:21:19 -0400
From: Nadav Amit <namit@vmware.com>
To: Nadia Yvette Chambers <nyc@holomorphy.com>
CC: <linux-kernel@vger.kernel.org>, Nadav Amit <nadav.amit@gmail.com>,
        Nadav Amit <namit@vmware.com>, Eric Biggers <ebiggers3@gmail.com>,
        Mike Kravetz <mike.kravetz@oracle.com>
Subject: [PATCH] hugetlbfs: change put_page/unlock_page order in hugetlbfs_fallocate()
Date: Sat, 26 Aug 2017 12:11:24 -0700
Message-ID: <20170826191124.51642-1-namit@vmware.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20170826210905.GA21712@zzz.localdomain>
References: <20170826210905.GA21712@zzz.localdomain>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1638
Lines: 44

hugetlfs_fallocate() currently performs put_page() before unlock_page().
This scenario opens a small time window, from the time the page is added
to the page cache, until it is unlocked, in which the page might be
removed from the page-cache by another core. If the page is removed
during this time windows, it might cause a memory corruption, as the
wrong page will be unlocked.

It is arguable whether this scenario can happen in a real system, and
there are several mitigating factors. The issue was found by code
inspection (actually grep), and not by actually triggering the flow.
Yet, since putting the page before unlocking is incorrect it should be
fixed, if only to prevent future breakage or someone copy-pasting this
code.

Fixes: 70c3547e36f5c ("hugetlbfs: add hugetlbfs_fallocate()")

cc: Eric Biggers <ebiggers3@gmail.com>
cc: Mike Kravetz <mike.kravetz@oracle.com>

Signed-off-by: Nadav Amit <namit@vmware.com>
---
 fs/hugetlbfs/inode.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 28d2753be094..9475fee79cee 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -655,11 +655,11 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset,
 		mutex_unlock(&hugetlb_fault_mutex_table[hash]);
 
 		/*
-		 * page_put due to reference from alloc_huge_page()
 		 * unlock_page because locked by add_to_page_cache()
+		 * page_put due to reference from alloc_huge_page()
 		 */
-		put_page(page);
 		unlock_page(page);
+		put_page(page);
 	}
 
 	if (!(mode & FALLOC_FL_KEEP_SIZE) && offset + len > inode->i_size)
-- 
2.11.0