From: Andrew Morton <akpm@linux-foundation.org>
To: dan.carpenter@oracle.com, dan.j.williams@intel.com,
jgg@nvidia.com, jglisse@redhat.com, joao.m.martins@oracle.com,
Julia.Lawall@lip6.fr, Markus.Elfring@web.de,
mm-commits@vger.kernel.org, rcampbell@nvidia.com,
vishal.l.verma@intel.com, weiyongjun1@huawei.com
Subject: [folded-merged] mm-memremap_pages-convert-to-struct-range-fix.patch removed from -mm tree
Date: Tue, 13 Oct 2020 16:05:05 -0700 [thread overview]
Message-ID: <20201013230505.ijCypJ5Ag%akpm@linux-foundation.org> (raw)
In-Reply-To: <20201010231559.e148a66f744d0b4870301450@linux-foundation.org>
The patch titled
Subject: mm/hmm/test: use after free in dmirror_allocate_chunk()
has been removed from the -mm tree. Its filename was
mm-memremap_pages-convert-to-struct-range-fix.patch
This patch was dropped because it was folded into mm-memremap_pages-convert-to-struct-range.patch
------------------------------------------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: mm/hmm/test: use after free in dmirror_allocate_chunk()
The error handling code does this:
err_free:
kfree(devmem);
^^^^^^^^^^^^^
err_release:
release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
^^^^^^^^
The problem is that when we use "devmem->pagemap.range.start" the
"devmem" pointer is either NULL or freed.
Neither the allocation nor the call to request_free_mem_region() has to
be done under the lock so I moved those to the start of the function.
Link: https://lkml.kernel.org/r/20200926121402.GA7467@kadam
Fixes: 1f9c4bb986d9 ("mm/memremap_pages: convert to 'struct range'")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Cc: Markus Elfring <Markus.Elfring@web.de>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: Joao Martins <joao.m.martins@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
lib/test_hmm.c | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
--- a/lib/test_hmm.c~mm-memremap_pages-convert-to-struct-range-fix
+++ a/lib/test_hmm.c
@@ -460,6 +460,21 @@ static bool dmirror_allocate_chunk(struc
unsigned long pfn_last;
void *ptr;
+ devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
+ if (!devmem)
+ return -ENOMEM;
+
+ res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
+ "hmm_dmirror");
+ if (IS_ERR(res))
+ goto err_devmem;
+
+ devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
+ devmem->pagemap.range.start = res->start;
+ devmem->pagemap.range.end = res->end;
+ devmem->pagemap.ops = &dmirror_devmem_ops;
+ devmem->pagemap.owner = mdevice;
+
mutex_lock(&mdevice->devmem_lock);
if (mdevice->devmem_count == mdevice->devmem_capacity) {
@@ -472,29 +487,14 @@ static bool dmirror_allocate_chunk(struc
sizeof(new_chunks[0]) * new_capacity,
GFP_KERNEL);
if (!new_chunks)
- goto err;
+ goto err_release;
mdevice->devmem_capacity = new_capacity;
mdevice->devmem_chunks = new_chunks;
}
- res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
- "hmm_dmirror");
- if (IS_ERR(res))
- goto err;
-
- devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
- if (!devmem)
- goto err_release;
-
- devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
- devmem->pagemap.range.start = res->start;
- devmem->pagemap.range.end = res->end;
- devmem->pagemap.ops = &dmirror_devmem_ops;
- devmem->pagemap.owner = mdevice;
-
ptr = memremap_pages(&devmem->pagemap, numa_node_id());
if (IS_ERR(ptr))
- goto err_free;
+ goto err_release;
devmem->mdevice = mdevice;
pfn_first = devmem->pagemap.range.start >> PAGE_SHIFT;
@@ -525,12 +525,12 @@ static bool dmirror_allocate_chunk(struc
return true;
-err_free:
- kfree(devmem);
err_release:
- release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
-err:
mutex_unlock(&mdevice->devmem_lock);
+ release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
+err_devmem:
+ kfree(devmem);
+
return false;
}
_
Patches currently in -mm which might be from dan.carpenter@oracle.com are
mm-memremap_pages-convert-to-struct-range.patch
mm-hmm-test-fix-an-error-code-in-dmirror_allocate_chunk.patch
next prev parent reply other threads:[~2020-10-13 23:05 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-11 6:15 incoming Andrew Morton
2020-10-11 6:16 ` [patch 1/5] MAINTAINERS: change hardening mailing list Andrew Morton
2020-10-11 6:16 ` [patch 2/5] MAINTAINERS: Antoine Tenart's email address Andrew Morton
2020-10-11 6:16 ` [patch 3/5] mm: mmap: fix general protection fault in unlink_file_vma() Andrew Morton
2020-10-11 6:16 ` [patch 4/5] mm: validate inode in mapping_set_error() Andrew Morton
2020-10-11 6:16 ` [patch 5/5] mm: khugepaged: recalculate min_free_kbytes after memory hotplug as expected by khugepaged Andrew Morton
2020-10-13 23:02 ` [folded-merged] x86-numa-add-nohmat-option-fix.patch removed from -mm tree Andrew Morton
2020-10-13 23:02 ` [folded-merged] acpi-hmat-refactor-hmat_register_target_device-to-hmem_register_device-fix.patch " Andrew Morton
2020-10-13 23:03 ` [folded-merged] mm-memory_hotplug-introduce-default-phys_to_target_node-implementation-fix.patch " Andrew Morton
2020-10-13 23:04 ` [folded-merged] acpi-hmat-attach-a-device-for-each-soft-reserved-range-fix.patch " Andrew Morton
2020-10-13 23:05 ` Andrew Morton [this message]
2020-10-13 23:05 ` [folded-merged] mm-optimise-madvise-willneed-fix.patch " Andrew Morton
2020-10-13 23:06 ` [folded-merged] mm-convert-find_get_entry-to-return-the-head-page-fix.patch " Andrew Morton
2020-10-13 23:07 ` [folded-merged] mm-shmem-return-head-page-from-find_lock_entry-fix.patch " Andrew Morton
2020-10-13 23:08 ` [folded-merged] mm-gup-dont-permit-users-to-call-get_user_pages-with-foll_longterm-fix.patch " Andrew Morton
2020-10-13 23:09 ` [folded-merged] mm-memcg-simplify-mem_cgroup_get_max-v4.patch " Andrew Morton
2020-10-13 23:09 ` [folded-merged] mm-account-pmd-tables-like-pte-tables-fix.patch " Andrew Morton
2020-10-13 23:10 ` [folded-merged] mm-remove-src-dst-mm-parameter-in-copy_page_range-v2.patch " Andrew Morton
2020-10-13 23:10 ` [folded-merged] mm-remove-src-dst-mm-parameter-in-copy_page_range-v2-fix.patch " Andrew Morton
2020-10-13 23:12 ` [folded-merged] kasan-port-kasan-tests-to-kunit-v14.patch " Andrew Morton
2020-10-13 23:12 ` [folded-merged] mm-page_allocc-clean-code-by-removing-unnecessary-initialization-fix.patch " Andrew Morton
2020-10-13 23:13 ` [folded-merged] mm-hugetlb-take-the-free-hpage-during-the-iteration-directly-v4.patch " Andrew Morton
2020-10-13 23:13 ` [folded-merged] mm-mempool-add-else-to-split-mutually-exclusive-case-fix.patch " Andrew Morton
2020-10-13 23:14 ` [folded-merged] memblock-make-memblock_debug-and-related-functionality-private-fix.patch " Andrew Morton
2020-10-13 23:14 ` [folded-merged] arch-drivers-replace-for_each_membock-with-for_each_mem_range-fix.patch " Andrew Morton
2020-10-13 23:14 ` [folded-merged] arch-drivers-replace-for_each_membock-with-for_each_mem_range-fix-2.patch " Andrew Morton
2020-10-13 23:15 ` [folded-merged] mm-oom_adj-dont-loop-through-tasks-in-__set_oom_adj-when-not-necessary-v3.patch " Andrew Morton
2020-10-16 2:11 ` [folded-merged] powerpc-mm-move-setting-pte-specific-flags-to-pfn_pte-fix.patch " Andrew Morton
2020-10-16 2:12 ` [folded-merged] mm-debug_vm_pgtable-hugetlb-disable-hugetlb-test-on-ppc64-fix.patch " Andrew Morton
2020-10-16 2:13 ` [folded-merged] mm-debug_vm_pgtable-avoid-none-pte-in-pte_clear_test-fix.patch " Andrew Morton
2020-10-16 2:14 ` [folded-merged] xarray-add-xa_get_order-fix.patch " Andrew Morton
2020-10-16 2:14 ` [folded-merged] xarray-add-xas_split-fix.patch " Andrew Morton
2020-10-16 2:14 ` [folded-merged] xarray-add-xas_split-fix-2.patch " Andrew Morton
2020-10-16 2:14 ` [folded-merged] xarray-add-xas_split-fix-3patch.patch " Andrew Morton
2020-10-16 2:15 ` [folded-merged] mm-memory-remove-page-fault-assumption-of-compound-page-size-fix.patch " Andrew Morton
2020-10-16 2:16 ` [folded-merged] mm-memory_hotplug-simplify-page-offlining-fix.patch " Andrew Morton
2020-10-16 2:17 ` [folded-merged] kernel-resource-make-release_mem_region_adjustable-never-fail-fix.patch " Andrew Morton
2020-10-16 2:19 ` [folded-merged] checkpatch-warn-on-self-assignments-checkpatch-fixes.patch " Andrew Morton
2020-10-16 2:20 ` [folded-merged] checkpatch-allow-not-using-f-with-files-that-are-in-git-fix.patch " Andrew Morton
2020-10-16 2:20 ` [folded-merged] checkpatch-emit-a-warning-on-embedded-filenames-fix.patch " Andrew Morton
2020-10-16 2:21 ` [folded-merged] fs-binfmt_elf-use-pt_load-p_align-values-for-suitable-start-address-fix.patch " Andrew Morton
2020-10-16 2:21 ` [folded-merged] fs-binfmt_elf-use-pt_load-p_align-values-for-suitable-start-address-v4.patch " Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201013230505.ijCypJ5Ag%akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=Julia.Lawall@lip6.fr \
--cc=Markus.Elfring@web.de \
--cc=dan.carpenter@oracle.com \
--cc=dan.j.williams@intel.com \
--cc=jgg@nvidia.com \
--cc=jglisse@redhat.com \
--cc=joao.m.martins@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mm-commits@vger.kernel.org \
--cc=rcampbell@nvidia.com \
--cc=vishal.l.verma@intel.com \
--cc=weiyongjun1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).