Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2312314imm;
        Mon, 28 May 2018 05:54:28 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZribAAAEpVdIooyqLUnyRdCL/lvspDCu0tLSh+YD5NDK6/yEYXLz9UU24mLld2U84L3+pf3
X-Received: by 2002:a63:6096:: with SMTP id u144-v6mr10516517pgb.433.1527512068350;
        Mon, 28 May 2018 05:54:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527512068; cv=none;
        d=google.com; s=arc-20160816;
        b=09GZSrIu1OCIoXxnEgOcZ9jvE/ujx661AAq6hNBSPJUZdm789WOKHlsd7e/4aj6BRk
         hfNqTSDmKLw8lIbpYVQyV2BDnlY0KSGfD2Ah70pSnKXNzeS6NZ8T3xfcjFEvtrNRePFj
         fvmF8lJD9GIWbM1s0Ff6W87Mht7Y9cxBkG1DkBzZFi5ErmojL1EQFVhA1TOFYzy3rHoX
         eecW/JsgIjbextyIBAjJHDTmebTJwSyEuCQoMpwWlCvVnAd6q8zHSZgFaedbPN3EPzOK
         rrPT5DY7EQYdNGxTVQ3VeuUNrhoXZ+oZU5xcKM/FUBPmoUrioYfAWIe/RASLUcex+WQl
         NjxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=U4+9l5dTU6RlD9z5WXB6OYLOA9BEGcTL9WjnW+LRlHE=;
        b=iSUEu0WP+/tEn5iN1rVxNHwaxuljPuAB/m3LqddD4p0VSD8yC7cdzsFLedIOGmoFIr
         2BUVJhXK9ingH0e4UBCoGb/mgNaFMeFXdGsU7y+toF7Q82eHOiq773HmZw/xF9lz48J0
         hE9iYeODk068pB7oKOOalYkWw1KG0Y7LZg8vUwg2MV09uKy0chmispAeZ58KVAlQTQR+
         b7hojX7jgF7TrkqPpvQ35RE4uVGoP1FwfQdcJBuPhhwQgfCvxXGDgXHzLgXsUfNrRITd
         8z0eyXwvqlVxzhe1SSb2ydJycc/reON/TM8pq1TuxsLG2Y53TF5SjlgE88v+s7XzyWJc
         FU8g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=SM1AY9Jy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 34-v6si29614408plc.346.2018.05.28.05.54.13;
        Mon, 28 May 2018 05:54:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=SM1AY9Jy;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1164401AbeE1Kzd (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Mon, 28 May 2018 06:55:33 -0400
Received: from mail.kernel.org ([198.145.29.99]:44038 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1164386AbeE1Kz1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 28 May 2018 06:55:27 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id B570320845;
        Mon, 28 May 2018 10:55:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527504926;
        bh=vUvZczrCLMFStgqP6qVFxtewiUQexi4O0ul74O4YbQk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=SM1AY9JygReSm/1FtUy2CG27bqAhvRfdKveJ9eLaNUJ9epsX79tpXtKoMdhiA3Kf0
         T2QSqfHu2j21pDLllWr9jYDteuHY5eHIE1HeN4G09/ywf4umpv7yUk4CWZ0qVLMM/2
         PTdVZOjSFqx/PC4YrGmzktJJNrNzRRXGbwAVekPo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Vinayak Menon <vinmenon@codeaurora.org>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 311/496] mm/kmemleak.c: wait for scan completion before disabling free
Date:   Mon, 28 May 2018 12:01:36 +0200
Message-Id: <20180528100332.924396565@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180528100319.498712256@linuxfoundation.org>
References: <20180528100319.498712256@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Vinayak Menon <vinmenon@codeaurora.org>

[ Upstream commit 914b6dfff790544d9b77dfd1723adb3745ec9700 ]

A crash is observed when kmemleak_scan accesses the object->pointer,
likely due to the following race.

  TASK A             TASK B                     TASK C
  kmemleak_write
   (with "scan" and
   NOT "scan=on")
  kmemleak_scan()
                     create_object
                     kmem_cache_alloc fails
                     kmemleak_disable
                     kmemleak_do_cleanup
                     kmemleak_free_enabled = 0
                                                kfree
                                                kmemleak_free bails out
                                                 (kmemleak_free_enabled is 0)
                                                slub frees object->pointer
  update_checksum
  crash - object->pointer
   freed (DEBUG_PAGEALLOC)

kmemleak_do_cleanup waits for the scan thread to complete, but not for
direct call to kmemleak_scan via kmemleak_write.  So add a wait for
kmemleak_scan completion before disabling kmemleak_free, and while at it
fix the comment on stop_scan_thread.

[vinmenon@codeaurora.org: fix stop_scan_thread comment]
  Link: http://lkml.kernel.org/r/1522219972-22809-1-git-send-email-vinmenon@codeaurora.org
Link: http://lkml.kernel.org/r/1522063429-18992-1-git-send-email-vinmenon@codeaurora.org
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/kmemleak.c |   12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -1658,8 +1658,7 @@ static void start_scan_thread(void)
 }
 
 /*
- * Stop the automatic memory scanning thread. This function must be called
- * with the scan_mutex held.
+ * Stop the automatic memory scanning thread.
  */
 static void stop_scan_thread(void)
 {
@@ -1922,12 +1921,15 @@ static void kmemleak_do_cleanup(struct w
 {
 	stop_scan_thread();
 
+	mutex_lock(&scan_mutex);
 	/*
-	 * Once the scan thread has stopped, it is safe to no longer track
-	 * object freeing. Ordering of the scan thread stopping and the memory
-	 * accesses below is guaranteed by the kthread_stop() function.
+	 * Once it is made sure that kmemleak_scan has stopped, it is safe to no
+	 * longer track object freeing. Ordering of the scan thread stopping and
+	 * the memory accesses below is guaranteed by the kthread_stop()
+	 * function.
 	 */
 	kmemleak_free_enabled = 0;
+	mutex_unlock(&scan_mutex);
 
 	if (!kmemleak_found_leaks)
 		__kmemleak_do_cleanup();