Received: by 10.192.165.156 with SMTP id m28csp693538imm;
        Fri, 13 Apr 2018 06:19:05 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+ME4sOFKsx8kLZ/BkV+VhF/5tCZXBz1VSMA89Uhi4bXqnIWbrnKEcu2gjpvDm76q3FAwIr
X-Received: by 2002:a17:902:52ec:: with SMTP id a99-v6mr4257064pli.371.1523625545252;
        Fri, 13 Apr 2018 06:19:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523625545; cv=none;
        d=google.com; s=arc-20160816;
        b=LVHloUIhJVuKngDYNs5rA0X/2DWDXcOM1q4aaywcf498T3g4sooJ+gwRahRF5TIhK9
         CnAFuL7AqidE9aOlVujyb7tTbOKCVaPrggrxi+8+0IMzpfrPrA1ELcS5nGta7GJeqzl7
         DpJnkTVGKySim+FyCFfRHe7etn7pvlZM8ei4+k2Q/2e91f4AazAIigmClAJaaxyDySLC
         FyNDFvITSvTFpCmIVNxaBV34Gu8ehR6FEM0W80Adi4xrRkANdspXynuEZ/87/fY0rFdh
         IMbTfLpgw7vC32Fx1mWn2UtmHaziPIBBPcZMs3BVz71fOI4bw2ongR0XMSC63LuFVLXa
         faOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dmarc-filter:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=pxmQrXKntwL+4KpADKbHeR2zBaKUiQH1dr5c0l7jYXo=;
        b=gJjAxbPLAXwM4WmOXbtIivfpYZkHL0vIHFu9shlYGLr+FXGiUXQZORx3wK59pyuY6l
         tpBRFXOPd3/yR0I0NqRrD8Y8woMz576wmBtW96tXpLAIOGra6uWAqTNlP1C2Oy6tuRwt
         bN2bFClvf615da2EHHnKycJE+wi8g28fzBKtYgIYv3qgSam4RHM9fgnkYFx0u0ZH+thR
         ExulCK2FX+LOdBOvaY4+S3Bz6+WdiwVez/3upk23BGWw8Uu1P5XyGbQZbCgPULy2aHFl
         hqtL+1xPrSIQHAOxLiMks0GkwxpYlq7hc4v5zk7XSNFkzMC8rSMSy/1oH7liVoRP8D3L
         ty5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=YRZZyCKm;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=ZgUsvz9y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h80si4612740pfj.129.2018.04.13.06.18.50;
        Fri, 13 Apr 2018 06:19:05 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=YRZZyCKm;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=ZgUsvz9y;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754463AbeDMLeR (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Fri, 13 Apr 2018 07:34:17 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:39300 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754410AbeDMLeP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Apr 2018 07:34:15 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
        id B202460F92; Fri, 13 Apr 2018 11:34:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1523619254;
        bh=WpoCXis+RI3ei6PmuvdGLjNv4+TBXxv02qkJgqlxHtg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=YRZZyCKmfdYLsPRTIJHqZnmhCFyayUuLKc8SuuRTzu9S4nHZRegvQ00fy2/98ctzK
         3hlXeB55hau+2C4usNaSyUtXGVGjBvuq/IUoMlYfG4cyMt24enDMpk8J3YUEpgwE+9
         Tu0d6C0tVSdsbDvoWj7xec1tcDjd5izCVxn2lFYU=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        pdx-caf-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00,
        DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Received: from cpandya-linux.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: cpandya@smtp.codeaurora.org)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id 10D966090E;
        Fri, 13 Apr 2018 11:34:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1523619253;
        bh=WpoCXis+RI3ei6PmuvdGLjNv4+TBXxv02qkJgqlxHtg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ZgUsvz9yFsbNGNo5x8DVhQ3260tWWUKaOsgtp/bBbi6g0CpY+wJ6xDY09JBgdngtK
         HFVx3E2sG/r7HRXIGzYI71NznH9cbYhhiFKJIWuCJZ1ThI9yZVlRzbTYw3+HaPc5oY
         MNqxAoM7tWB4AW1SFcfkhtt+g0kdjX3BulLDExss=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 10D966090E
Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=cpandya@codeaurora.org
From:   Chintan Pandya <cpandya@codeaurora.org>
To:     vbabka@suse.cz, labbott@redhat.com, catalin.marinas@arm.com,
        hannes@cmpxchg.org, f.fainelli@gmail.com, xieyisheng1@huawei.com,
        ard.biesheuvel@linaro.org, richard.weiyang@gmail.com,
        byungchul.park@lge.com
Cc:     linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Chintan Pandya <cpandya@codeaurora.org>
Subject: [PATCH 1/2] mm: vmalloc: Avoid racy handling of debugobjects in vunmap
Date:   Fri, 13 Apr 2018 17:03:53 +0530
Message-Id: <1523619234-17635-2-git-send-email-cpandya@codeaurora.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1523619234-17635-1-git-send-email-cpandya@codeaurora.org>
References: <1523619234-17635-1-git-send-email-cpandya@codeaurora.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Currently, __vunmap flow is,
 1) Release the VM area
 2) Free the debug objects corresponding to that vm area.

This leave some race window open.
 1) Release the VM area
 1.5) Some other client gets the same vm area
 1.6) This client allocates new debug objects on the same
      vm area
 2) Free the debug objects corresponding to this vm area.

Here, we actually free 'other' client's debug objects.

Fix this by freeing the debug objects first and then
releasing the VM area.

Signed-off-by: Chintan Pandya <cpandya@codeaurora.org>
---
 mm/vmalloc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index ebff729..9ff21a1 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1519,7 +1519,7 @@ static void __vunmap(const void *addr, int deallocate_pages)
 			addr))
 		return;
 
-	area = remove_vm_area(addr);
+	area = find_vmap_area((unsigned long)addr)->vm;
 	if (unlikely(!area)) {
 		WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n",
 				addr);
@@ -1529,6 +1529,7 @@ static void __vunmap(const void *addr, int deallocate_pages)
 	debug_check_no_locks_freed(addr, get_vm_area_size(area));
 	debug_check_no_obj_freed(addr, get_vm_area_size(area));
 
+	remove_vm_area(addr);
 	if (deallocate_pages) {
 		int i;
 
-- 
Qualcomm India Private Limited, on behalf of Qualcomm Innovation
Center, Inc., is a member of Code Aurora Forum, a Linux Foundation
Collaborative Project