Received: by 2002:a25:824b:0:0:0:0:0 with SMTP id d11csp2458695ybn;
        Thu, 26 Sep 2019 12:11:33 -0700 (PDT)
X-Google-Smtp-Source: APXvYqw9remKrpM0+iGtL0a4VlVVO0qdzbVfKIiCBLvw+QyNgIpBffnULJkN1kEaz0yZ1GgZJLlA
X-Received: by 2002:a17:906:839a:: with SMTP id p26mr4558317ejx.94.1569525093548;
        Thu, 26 Sep 2019 12:11:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1569525093; cv=none;
        d=google.com; s=arc-20160816;
        b=qxNEmMYk+cYca5OThB+V8AYfaR7/4WIlAyNZw6p+45lQiGhQyDj9+DlP/z7wCqXl0u
         nq2aFUgHh3dqGUXJKD1Qe77rTLRojU+we8Nf0K3NwPkF+SuaXa0/z8bcWl6mPF8BEZ2A
         ony46onLhNRudZLZ47oQPXC59R437y5IhwD+VX/vdwoWbXBU1IYXQlK8oQ0Pfo0ftvcR
         D5zMoGfPqSbLCZGbr1O83AiPdmDTML07HMW4xa9mkqScMYSkSwkWfpSehTFq1j6PKDA5
         FkNKSjybf9pPOGp0m1aQXKEtcZuRWYkMgASZqHrHHubpwtvJBvrmapvXrFJQ7ue8AitM
         X5yA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=ks2qVspm9S/bXYCJdT4jwYVVbHkHmD7QB8KapjaLnAw=;
        b=X3Jn0dLJcrqZOSXsAVzKAi34xUq0wh6KVH8mhrnaKoFb85hjVLzkq5N6i4pdxPI6sp
         M6IFa3Q02asg3mCPUhLZMXOY6dHo4R95YTy8FyGLhU7ltYfpHD0zPe6jsW29tHkA14Xa
         VrW0keZKVTdmnZavTgsESzL7z4aY7t1Ax9uMVy719fp/JNZkFFWpbU20kG8yMWRbwhem
         E3P22CoU6lht/wMbcy6zx7/du1L+1kvI2XkEivd0/PscdoOrO5Dzr4A+/aBCFkNDd7gs
         +6XsweS9zAK0W4Yhki2D7cZV47+jxhoLYEXi9A6dp32GO+aVLPwaq83PoBB3s0loApRm
         UO2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Iaxv69CZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v7si122003edr.125.2019.09.26.12.11.09;
        Thu, 26 Sep 2019 12:11:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Iaxv69CZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728507AbfIZTJ1 (ORCPT <rfc822;plusworld97@gmail.com>
        + 99 others); Thu, 26 Sep 2019 15:09:27 -0400
Received: from mail-qk1-f196.google.com ([209.85.222.196]:45899 "EHLO
        mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727707AbfIZTJ0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 26 Sep 2019 15:09:26 -0400
Received: by mail-qk1-f196.google.com with SMTP id z67so2708488qkb.12
        for <linux-kernel@vger.kernel.org>; Thu, 26 Sep 2019 12:09:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=ks2qVspm9S/bXYCJdT4jwYVVbHkHmD7QB8KapjaLnAw=;
        b=Iaxv69CZcIcyG7EwEus9/I/xlHQUby/BE2EbJS2l2fcXlakWErmSTtYz7w+E6mYWDV
         SqhSHQGIyib04+gHbn3dQ+0sIUsx4BPNtpsOLb+aVh3vx5SMULvM6tvZURQ+6F0Toif+
         Y7my90KmnJaHAZeLv6cCtmGsTxPR//RMdgdt6MDbh7ycJCDShquXT1jkcc9+3XRbzzTy
         FBaMhjQuCh+k0/Kex4/jb0YLDAUWH28gue68Bi1VdAli2vQ5xYctT72h11KCnzNJpCj4
         WDKvBJqoVqXXgUthcR+p8y79exm6faFKC0tNGXDs3HDNdAO4deX/5zZ6Z6J2gIDtX2Zv
         Xdug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=ks2qVspm9S/bXYCJdT4jwYVVbHkHmD7QB8KapjaLnAw=;
        b=aqHlEGqTWXv3SZoQpnCb6fUYSNdFpfxkSKTVaQoDUB6EVsY683GSD/miCdMi5e+kyz
         cgHbvy0xho76vivjdMnB4DFKBQ92j7/Y9/qqvqbQ5de2rzpoav/pZrTHwxBvuuI0F9BS
         VF7jpOJpbe6Un0AEN6xY2maXmkyoVqLRxw503QLH9cbgNuOhipbRkKumjU4HNOapCdQc
         pxAVKr1I0NpP1WIPlJwT2xZApGWjIs/gkA+eajN901shf2VTNGuIIkqvWGe4Jwfhlrgr
         M3WzpoTt3cqRhm264pStzShbJW15HzziWZSPEaPBvTYG/KPYeORg49WifqF26xG5+gco
         thZA==
X-Gm-Message-State: APjAAAXrJDJpFwQvJDgeEiwUG35/W3Jy/K+D0ztpG+VTzbzzGv5hHM/3
        KnY66Gx5wKPYRcaZnWyKXA==
X-Received: by 2002:a37:4549:: with SMTP id s70mr426189qka.143.1569524964545;
        Thu, 26 Sep 2019 12:09:24 -0700 (PDT)
Received: from gabell.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206])
        by smtp.gmail.com with ESMTPSA id f144sm40062qke.132.2019.09.26.12.09.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Sep 2019 12:09:23 -0700 (PDT)
From:   Masayoshi Mizuma <msys.mizuma@gmail.com>
To:     Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will@kernel.org>,
        linux-arm-kernel@lists.infradead.org
Cc:     Masayoshi Mizuma <msys.mizuma@gmail.com>,
        Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>,
        linux-kernel@vger.kernel.org
Subject: [PATCH 0/1] arm64/sve: Fix wrong free for task->thread.sve_state
Date:   Thu, 26 Sep 2019 15:08:45 -0400
Message-Id: <20190926190846.3072-1-msys.mizuma@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Masayoshi Mizuma <m.mizuma@jp.fujitsu.com>

The system which has SVE feature crashed by unknown
reason. According to the memory dump, the panic happened
because the memory data pointed by task->thread.sve_state was
destroyed by someone.

We tried to reproduce the crash, however, it's hard to do that.
But, we found a potential issue by reviewing the code.

In copy_process(), the child process has the pointer of sve_state
which is same as the parent's because the child's task_struct is
copied from the parent's one. If the copy_process() fails as an
error on somewhere, for example, copy_creds(), then the sve_state
is freed even if the parent is alive. The flow is as follows.

copy_process
        p = dup_task_struct
            => arch_dup_task_struct
                *dst = *src;  // copy the entire region.
:
        retval = copy_creds
        if (retval < 0)
                goto bad_fork_free;
:
bad_fork_free:
...
        delayed_free_task(p);
        => free_task
           => arch_release_task_struct
              => fpsimd_release_task
                 => __sve_free
                    => kfree(task->thread.sve_state);
                       // free the parent's sve_state

To fix that, add a flag in task->thread which shows the fork
is in progress. If the fork is in progress, that means the
child has the pointer to the parent's sve_state, doesn't
free the sve_state.

Masayoshi Mizuma (1):
  arm64/sve: Fix wrong free for task->thread.sve_state

 arch/arm64/include/asm/processor.h | 1 +
 arch/arm64/kernel/fpsimd.c         | 6 ++++--
 arch/arm64/kernel/process.c        | 2 ++
 3 files changed, 7 insertions(+), 2 deletions(-)

-- 
2.18.1