Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1154307imm; Wed, 1 Aug 2018 11:04:53 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdwSnF98O+deZgj9lLpFP7bziE5eoFs8YlDCWeanlRFJlOBVFR9gOIhJXDoX/jzJNq6pnE0 X-Received: by 2002:a62:9bc5:: with SMTP id e66-v6mr27657235pfk.84.1533146693557; Wed, 01 Aug 2018 11:04:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533146693; cv=none; d=google.com; s=arc-20160816; b=OmI5XP03NC4YBI2cZ4U++/YVXzw9fYO3WmiSoWcKth6NqMmreFzuOAR3P7/l3f6Qi4 Ru3mzzJ0iSPLEdohpk3880FEsl4VUIhU8o9fl5Ep9irxcveGnkyxoAO/GZ6LIYdRDZuG bvI1KKwEC8e1wb4fnGw7xGfwPEyz5b0hx7S5dyFAA0j+MiY+rPV/sOgILJFuLVGVH93S vSrWpWoaweaUckz5L0c9mwy8ygpXLwWGkJwX3SMYPsUtffbjubhon8DBz39XfnFiBDGK Lx8a5bc71qZro5nPeZ3ZMUC2ADuQMTQ20sao2ewZgcTdBYDgKDQILnHcy0uv0NSw1d3X e3oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=nNWagXc2NWYTjeYyylMu6j1xvnkQGSauZupWzJ+k/zU=; b=MTNu2XkS4O6x5dCCLmsWaARrmN4/jSej+Q4+aqFHV1SvPUKn9wWgikjiswnmezbyvc t8DLusg2TsR4sA7Ts/heeIvoHr3OksOgh6S0tyuJR/1ekPJ7pnIoPy2XonJV7Q8nu2VR lg/BowWqstmR6kc0EHvRiZ3B6unkn+Mc0dGRiq4hyBXxBaZW5AjhEJn4v3mU8fsakQ2Z M2og3xDlTGZIP6iVrHZzkWd+p6EpA10/wpNW1cKVuGPFvd3D0YROeEtj0zS9j1kjCOy3 HwH22Mlldp03wtHL08GXQue26BC3V4mGnnRsa+etsG5zxXurnYcufq96HCejI15AKumX iafQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o18-v6si14851192pgh.91.2018.08.01.11.04.38; Wed, 01 Aug 2018 11:04:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732484AbeHATuf (ORCPT + 99 others); Wed, 1 Aug 2018 15:50:35 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:50082 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2405840AbeHATIh (ORCPT ); Wed, 1 Aug 2018 15:08:37 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 17CB7135C; Wed, 1 Aug 2018 17:13:07 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Chintan Pandya , Andrew Morton , Ard Biesheuvel , Byungchul Park , Catalin Marinas , Florian Fainelli , Johannes Weiner , Laura Abbott , Vlastimil Babka , Wei Yang , Yisheng Xie , Linus Torvalds , Sasha Levin Subject: [PATCH 4.14 033/246] mm: vmalloc: avoid racy handling of debugobjects in vunmap Date: Wed, 1 Aug 2018 18:49:03 +0200 Message-Id: <20180801165013.271841319@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180801165011.700991984@linuxfoundation.org> References: <20180801165011.700991984@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Chintan Pandya [ Upstream commit f3c01d2f3ade6790db67f80fef60df84424f8964 ] Currently, __vunmap flow is, 1) Release the VM area 2) Free the debug objects corresponding to that vm area. This leave some race window open. 1) Release the VM area 1.5) Some other client gets the same vm area 1.6) This client allocates new debug objects on the same vm area 2) Free the debug objects corresponding to this vm area. Here, we actually free 'other' client's debug objects. Fix this by freeing the debug objects first and then releasing the VM area. Link: http://lkml.kernel.org/r/1523961828-9485-2-git-send-email-cpandya@codeaurora.org Signed-off-by: Chintan Pandya Reviewed-by: Andrew Morton Cc: Ard Biesheuvel Cc: Byungchul Park Cc: Catalin Marinas Cc: Florian Fainelli Cc: Johannes Weiner Cc: Laura Abbott Cc: Vlastimil Babka Cc: Wei Yang Cc: Yisheng Xie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- mm/vmalloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -1519,7 +1519,7 @@ static void __vunmap(const void *addr, i addr)) return; - area = remove_vm_area(addr); + area = find_vmap_area((unsigned long)addr)->vm; if (unlikely(!area)) { WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n", addr); @@ -1529,6 +1529,7 @@ static void __vunmap(const void *addr, i debug_check_no_locks_freed(addr, get_vm_area_size(area)); debug_check_no_obj_freed(addr, get_vm_area_size(area)); + remove_vm_area(addr); if (deallocate_pages) { int i;