Received: by 10.192.165.156 with SMTP id m28csp1681188imm;
        Tue, 17 Apr 2018 03:46:56 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+HpDhWoNVlr2EnORjnnV2KltD/rvm2T/9rpm/m90pr7p8aqcxW6Fi/z9d/xUAct7hV0k+B
X-Received: by 10.99.117.29 with SMTP id q29mr1352857pgc.269.1523962016662;
        Tue, 17 Apr 2018 03:46:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523962016; cv=none;
        d=google.com; s=arc-20160816;
        b=mK8+yRpnlp/GADgcCajao/Je48HGlGw3cTHHW9TkMYEr8fwtEUYMrutmMAtYr0jn9d
         waCKKz6ZKsKwOplP+BK5lu6RF/Umc1q3Xmc7UkjNKpecBHA283vSSMgmZu1c/jaoBcoz
         qTInYOs2fJ4JrONujC79QvCGDVuJxfMe9vhuKarh1Z9tXjCq1lzqO6NGjGcCPdZogCEH
         iPOHrn4i2vfnavNhsfnanipv5ph8ANKGdZhTtC30S9FBp+ByJokzGS5Ftkg5cqslnHal
         37w+TjTO6Imq604GADLcrr4vhuh/sLP8sOrGEI/yM4xQa/SA6EML27af/IaxnOKm8c3d
         2tjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dmarc-filter:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=xTOvp4H6UVTGuLDhxypTXA5ZmUI5WUGLhz6aT5TaAv4=;
        b=DGFzT3IndApYZFcoX03mWEk6qWIr0y335lKxXns1Cy8VE4NR6yxNqsC1D/udNfNirA
         s9WeTPUSdg8C3npO2Z8JgZuXAeWEcaS6XtuFaRgQCF3BibFknUDl1TgO8ToNgDd5QLUm
         vIPbKGCgrddXSIM2D2q+b6ZjVhwdTAGQ/6dhorqKdwtMz9jjNID79x2JtBFo6qNmKai7
         h1hYYIiph67VHvuSDBBi5aQmJaq9iocPcjl/ySA1ZX3n7fBWdjuQQjKMzd7ULWLaBmJJ
         XTFXxABfB3ErHhD+DE7XUsk5PgN+d5r3HT4DhJILkcShw+E1F8IQXdedEC5WLCS5TPJH
         y/yQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=EueePno6;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=Ddk0OS8F;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k1si9825986pgo.255.2018.04.17.03.46.42;
        Tue, 17 Apr 2018 03:46:56 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=EueePno6;
       dkim=pass header.i=@codeaurora.org header.s=default header.b=Ddk0OS8F;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752649AbeDQKoR (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Tue, 17 Apr 2018 06:44:17 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:54324 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751865AbeDQKoP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Apr 2018 06:44:15 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
        id 0CC0B60F6E; Tue, 17 Apr 2018 10:44:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1523961855;
        bh=QzDpKWS3UDvPNMvdBjY1q+RVkSCRat1J7EpWGvxTTd0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=EueePno6A6yQ7Ek9tlQHK8GPfomy/ARFH7UI+v4ejQr0VnqGdTLprSj28w3UsdC9x
         hrMYGB3tuQkB09qghGSK91vIEtr4jT9bQTDTsVXsrh75ZrxPRSNsqA5i5ADsW8R/id
         95DMX2tZjEn3am5hL9dcqfvWIv2pht8/1mqBBKV0=
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        pdx-caf-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00,
        DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0
Received: from cpandya-linux.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: cpandya@smtp.codeaurora.org)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id 57ABA60F8E;
        Tue, 17 Apr 2018 10:44:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1523961853;
        bh=QzDpKWS3UDvPNMvdBjY1q+RVkSCRat1J7EpWGvxTTd0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Ddk0OS8FXcRQ+g+U6AZMLXj32db3CoBZHDwqWLIxQZHVG3uAV2GmkaONI9NKg1yLP
         g1GmdJ6WOn4jOcdvETJD3PJLtfbqrF2cKEpJyMeCBjfl8QKmw5Cj150NskMXiJgggd
         4oxwpNRPwIfzRE220aSGtninkwouEhDybO5TBmbg=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 57ABA60F8E
Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=cpandya@codeaurora.org
From:   Chintan Pandya <cpandya@codeaurora.org>
To:     vbabka@suse.cz, labbott@redhat.com, catalin.marinas@arm.com,
        hannes@cmpxchg.org, f.fainelli@gmail.com, xieyisheng1@huawei.com,
        ard.biesheuvel@linaro.org, richard.weiyang@gmail.com,
        byungchul.park@lge.com
Cc:     linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        khandual@linux.vnet.ibm.com, mhocko@kernel.org,
        Chintan Pandya <cpandya@codeaurora.org>
Subject: [PATCH v2 1/2] mm: vmalloc: Avoid racy handling of debugobjects in vunmap
Date:   Tue, 17 Apr 2018 16:13:47 +0530
Message-Id: <1523961828-9485-2-git-send-email-cpandya@codeaurora.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1523961828-9485-1-git-send-email-cpandya@codeaurora.org>
References: <1523961828-9485-1-git-send-email-cpandya@codeaurora.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Currently, __vunmap flow is,
 1) Release the VM area
 2) Free the debug objects corresponding to that vm area.

This leave some race window open.
 1) Release the VM area
 1.5) Some other client gets the same vm area
 1.6) This client allocates new debug objects on the same
      vm area
 2) Free the debug objects corresponding to this vm area.

Here, we actually free 'other' client's debug objects.

Fix this by freeing the debug objects first and then
releasing the VM area.

Signed-off-by: Chintan Pandya <cpandya@codeaurora.org>
---
 mm/vmalloc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/vmalloc.c b/mm/vmalloc.c
index 6729400..12d675c 100644
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -1500,7 +1500,7 @@ static void __vunmap(const void *addr, int deallocate_pages)
 			addr))
 		return;
 
-	area = remove_vm_area(addr);
+	area = find_vmap_area((unsigned long)addr)->vm;
 	if (unlikely(!area)) {
 		WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n",
 				addr);
@@ -1510,6 +1510,7 @@ static void __vunmap(const void *addr, int deallocate_pages)
 	debug_check_no_locks_freed(addr, get_vm_area_size(area));
 	debug_check_no_obj_freed(addr, get_vm_area_size(area));
 
+	remove_vm_area(addr);
 	if (deallocate_pages) {
 		int i;
 
-- 
Qualcomm India Private Limited, on behalf of Qualcomm Innovation
Center, Inc., is a member of Code Aurora Forum, a Linux Foundation
Collaborative Project