Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2610628ybi;
        Mon, 17 Jun 2019 07:41:09 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzYlZXQnG17eRiXZaX1O4m8BTs1P+8itwQN14aUKLEzG0IgSr59Dh0SFhECT05wE9X0Y2gU
X-Received: by 2002:a63:1d1d:: with SMTP id d29mr39308686pgd.259.1560782469112;
        Mon, 17 Jun 2019 07:41:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560782469; cv=none;
        d=google.com; s=arc-20160816;
        b=qcWeDzsliCJ/8wiGVvdI7cEJBLH8VeJRx756pVOVFU/KxV03dKv+vWxFliaI5WzIAe
         6BJXZJw+Bk1YnwG2OVNKdB6Oj62NkaxMKz98kYLPaaMka/QZxcAZwneTJYBWqjFwg0Np
         6GqokF69T6ZHQ8rh3ythBu8AOQ3YwjcYxapQ+zyNoH8RS4mbqXhWN73EBbVIX7AfK489
         Og3G6bvZqf8jVzWltEut2MTJ1+iK/xKB0ghUbJxaivxXfD3Xh8wSBqgqKdSfXeNNoyQq
         wHVOyOobLXYKQzTE2/2x1gUEKs3irbaiGLM7Ki1Fql94O7yulfhw2GhlpAKMhSOiuPhS
         iV0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:message-id:references
         :in-reply-to:subject:cc:to:from:date:content-transfer-encoding
         :mime-version;
        bh=Zi0FEtnAXPogjxUguBmzgfI+w7Dmsl2S1Zfg6FFrqss=;
        b=lA+vn8HwC03+PRH2OzY2Vngfd2+TMXhPp6pWokE61ndygzx+v7PvUayGrJLZVGzIcP
         S7qoQU7gUYe2EK73SmTVSqzzhti6C3phh8OIe7upnbvL00d5lEfQoGIGmpilXr6bCUb9
         duP7d6PGOsyAQ8Yu3RGQLbL2k5MDYAMTs5a3VvSmr5YurgTLgQAtwK7aKlwJ37G0OhuS
         PfqM2xwWm1c/yDSNC5BE1cauE3eWkRQnyIt4rG6NliYWG1m06HEOnBUxKsUWarZbLT0s
         MjrONMjOefyB1kZvpQ/1XDGxL+K3P2tQzidaSOwHpDMtMH5lcCTW961eSkxlc9+/czRF
         7ISA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u62si9359302pgu.334.2019.06.17.07.40.53;
        Mon, 17 Jun 2019 07:41:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727253AbfFQOke (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Mon, 17 Jun 2019 10:40:34 -0400
Received: from mx2.suse.de ([195.135.220.15]:54126 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726151AbfFQOke (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Jun 2019 10:40:34 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
        by mx1.suse.de (Postfix) with ESMTP id D0D62AF60;
        Mon, 17 Jun 2019 14:40:32 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date:   Mon, 17 Jun 2019 16:40:31 +0200
From:   Roman Penyaev <rpenyaev@suse.de>
To:     Arnd Bergmann <arnd@arndb.de>
Cc:     "Uladzislau Rezki (Sony)" <urezki@gmail.com>,
        Roman Gushchin <guro@fb.com>, Michal Hocko <mhocko@suse.com>,
        Matthew Wilcox <willy@infradead.org>,
        Thomas Garnier <thgarnie@google.com>,
        Oleksiy Avramchenko <oleksiy.avramchenko@sonymobile.com>,
        Steven Rostedt <rostedt@goodmis.org>,
        Joel Fernandes <joelaf@google.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@elte.hu>, Tejun Heo <tj@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Stephen Rothwell <sfr@canb.auug.org.au>,
        Rick Edgecombe <rick.p.edgecombe@intel.com>,
        Andrey Ryabinin <aryabinin@virtuozzo.com>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Linux-MM <linux-mm@kvack.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [BUG]: mm/vmalloc: uninitialized variable access in
 pcpu_get_vm_areas
In-Reply-To: <CAK8P3a0+jOW==OOx_CLj=TCsG5EBK2ni6kw1+PexJLAC2NEp_g@mail.gmail.com>
References: <20190617121427.77565-1-arnd@arndb.de>
 <457d8e5e453a18faf358bc1360a19003@suse.de>
 <CAK8P3a0+jOW==OOx_CLj=TCsG5EBK2ni6kw1+PexJLAC2NEp_g@mail.gmail.com>
Message-ID: <a05a92b2fdc7c8b7850e9e7c63f8e9e6@suse.de>
X-Sender: rpenyaev@suse.de
User-Agent: Roundcube Webmail
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2019-06-17 16:04, Arnd Bergmann wrote:
> On Mon, Jun 17, 2019 at 3:49 PM Roman Penyaev <rpenyaev@suse.de> wrote:
>> >               augment_tree_propagate_from(va);
>> >
>> > -             if (type == NE_FIT_TYPE)
>> > -                     insert_vmap_area_augment(lva, &va->rb_node,
>> > -                             &free_vmap_area_root, &free_vmap_area_list);
>> > -     }
>> > -
>> >       return 0;
>> >  }
>> 
>> 
>> Hi Arnd,
>> 
>> Seems the proper fix is just setting lva to NULL.  The only place
>> where lva is allocated and then used is when type == NE_FIT_TYPE,
>> so according to my shallow understanding of the code everything
>> should be fine.
> 
> I don't see how NULL could work here. insert_vmap_area_augment()
> passes the va pointer into find_va_links() and link_va(), both of
> which dereference the pointer, see

Exactly, but insert_vmap_area_augement() accepts 'va', not 'lva',
but in your variant 'va' is already freed (see type == FL_FIT_TYPE
branch, on top of that function).  So that should be use-after-free.

--
Roman