Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2456138imm; Mon, 28 May 2018 08:24:23 -0700 (PDT) X-Google-Smtp-Source: AB8JxZp+/w2SIIb0JE/1hc0F8uobSU96JMCS5IuEJABFnkSot3RzWZ8qk9MIRjLSZNaOBFjIeo8b X-Received: by 2002:a63:350d:: with SMTP id c13-v6mr11215036pga.426.1527521063362; Mon, 28 May 2018 08:24:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527521063; cv=none; d=google.com; s=arc-20160816; b=GX+VlJMlBBNbYSTr7RqMSm8LJW2n1dycmEP8anCe1fBRAYjtYdV738m9UPvrcKVkch vxcZv6wnHzm6Dfr42LiO2iuBIJ7N9t3URI062vI8Usl0UZgK6MjB8cEsllh6Mm8YsLLz QqG0EErr4rmzeaCocbNzrN87QEOhwNTZPCYiBhbr0RblH0qPz8CYTl5N5Mp9LRREqVRB 8GTTgUbB4ZXKq8ZJJ4n8+LdRFkYy1iZTl+Vu8JvJii4xWf1ig5jCWG8JNIucdIJFyBKb ESI5/r+PoTZZl+h+YyfJuUAkGquF4KAgH5UK55q4N2PAG5yuLXgo8bw8tGFHEcdGVah9 GPZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=tdhjB8lMcU0OF3tWve/4rk/pY5ed2PR1O0e9fcRal2s=; b=cPncT1egNc00Hw8xxnyh16T0UUKYpgnWXN8SC6agLKPgduyyLhbO2vF+Od12Lj1Hft XBJnv9g73M6jRseQhtpLuWsOMT6kWufybFb1M40JgS4Vl8gcXXOCslEesCp3iTdcGCDR DDTi5/yWEWaXsWnzLTdtnz/JsfbqE3uVPbsR9BgnoR/0GXBRNSsD2vUct/i/ASVuVZ8c Ok/gfHuUkJv62ghkP7Vk0KLJNN4ZbcHjbEw0gXQEcTZwfGDXKZXA7d4lmZ4fZR2xDMol Nl7iGYW+neN57Lu4QuGjJNg9XNkTuaP6pD/gxDwBU3s8dCzp4rJGgtNHG3CHwRMdFj1n V+rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QcX0WYY4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r5-v6si30399344pls.227.2018.05.28.08.24.08; Mon, 28 May 2018 08:24:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QcX0WYY4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1034288AbeE1PXc (ORCPT + 99 others); Mon, 28 May 2018 11:23:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:40518 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1033263AbeE1KVA (ORCPT ); Mon, 28 May 2018 06:21:00 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E626120843; Mon, 28 May 2018 10:20:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527502859; bh=3XVcsC0dNnUWw9B3R0o9ZnXdm462mzGoEpjxCLDEV1U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QcX0WYY47PILlSBcTkaN37arUlD/gtC2dSkdJb0adcVBm56zMBV1QH6qDAFnAE9S9 3rZZYZRTKkFbSa7e6aOolvtnm+FLIdzf+sxBLwLHolBaybvp0tyuzOuA1AqC/8hOND HlggmRlrCIeoWL3uezS0/McZGY/wXJ024sCcxSrE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vinayak Menon , Catalin Marinas , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 4.4 155/268] mm/kmemleak.c: wait for scan completion before disabling free Date: Mon, 28 May 2018 12:02:09 +0200 Message-Id: <20180528100220.018023658@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100202.045206534@linuxfoundation.org> References: <20180528100202.045206534@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vinayak Menon [ Upstream commit 914b6dfff790544d9b77dfd1723adb3745ec9700 ] A crash is observed when kmemleak_scan accesses the object->pointer, likely due to the following race. TASK A TASK B TASK C kmemleak_write (with "scan" and NOT "scan=on") kmemleak_scan() create_object kmem_cache_alloc fails kmemleak_disable kmemleak_do_cleanup kmemleak_free_enabled = 0 kfree kmemleak_free bails out (kmemleak_free_enabled is 0) slub frees object->pointer update_checksum crash - object->pointer freed (DEBUG_PAGEALLOC) kmemleak_do_cleanup waits for the scan thread to complete, but not for direct call to kmemleak_scan via kmemleak_write. So add a wait for kmemleak_scan completion before disabling kmemleak_free, and while at it fix the comment on stop_scan_thread. [vinmenon@codeaurora.org: fix stop_scan_thread comment] Link: http://lkml.kernel.org/r/1522219972-22809-1-git-send-email-vinmenon@codeaurora.org Link: http://lkml.kernel.org/r/1522063429-18992-1-git-send-email-vinmenon@codeaurora.org Signed-off-by: Vinayak Menon Reviewed-by: Catalin Marinas Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- mm/kmemleak.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) --- a/mm/kmemleak.c +++ b/mm/kmemleak.c @@ -1524,8 +1524,7 @@ static void start_scan_thread(void) } /* - * Stop the automatic memory scanning thread. This function must be called - * with the scan_mutex held. + * Stop the automatic memory scanning thread. */ static void stop_scan_thread(void) { @@ -1788,12 +1787,15 @@ static void kmemleak_do_cleanup(struct w { stop_scan_thread(); + mutex_lock(&scan_mutex); /* - * Once the scan thread has stopped, it is safe to no longer track - * object freeing. Ordering of the scan thread stopping and the memory - * accesses below is guaranteed by the kthread_stop() function. + * Once it is made sure that kmemleak_scan has stopped, it is safe to no + * longer track object freeing. Ordering of the scan thread stopping and + * the memory accesses below is guaranteed by the kthread_stop() + * function. */ kmemleak_free_enabled = 0; + mutex_unlock(&scan_mutex); if (!kmemleak_found_leaks) __kmemleak_do_cleanup();