From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=xNzI=DD=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5F0F7C2D0A8
	for <linux-mm@archiver.kernel.org>; Sat, 26 Sep 2020 22:17:25 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 5C708238D6
	for <linux-mm@archiver.kernel.org>; Sat, 26 Sep 2020 22:17:24 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=ziepe.ca header.i=@ziepe.ca header.b="ncQk+7I0"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5C708238D6
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=ziepe.ca
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 7E9076B005C; Sat, 26 Sep 2020 18:17:23 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 774526B005D; Sat, 26 Sep 2020 18:17:23 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6627B6B0068; Sat, 26 Sep 2020 18:17:23 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0201.hostedemail.com [216.40.44.201])
	by kanga.kvack.org (Postfix) with ESMTP id 518866B005C
	for <linux-mm@kvack.org>; Sat, 26 Sep 2020 18:17:23 -0400 (EDT)
Received: from smtpin16.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 19C6A4DA9
	for <linux-mm@kvack.org>; Sat, 26 Sep 2020 22:17:23 +0000 (UTC)
X-FDA: 77306624766.16.leaf68_3000b3d27173
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin16.hostedemail.com (Postfix) with ESMTP id DEDC710190DAB
	for <linux-mm@kvack.org>; Sat, 26 Sep 2020 22:17:22 +0000 (UTC)
X-HE-Tag: leaf68_3000b3d27173
X-Filterd-Recvd-Size: 4976
Received: from mail-qv1-f67.google.com (mail-qv1-f67.google.com [209.85.219.67])
	by imf42.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Sat, 26 Sep 2020 22:17:22 +0000 (UTC)
Received: by mail-qv1-f67.google.com with SMTP id cv8so3439214qvb.12
        for <linux-mm@kvack.org>; Sat, 26 Sep 2020 15:17:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ziepe.ca; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=fS1w4x9W5u/SBOvIdM0MH2CcotIY3Vg+sHOvEKvWrnM=;
        b=ncQk+7I0w0b/kV5aRTi/q9bjG+7SWcGv1opTIuQpMwA05J3Orat6hoBr797TtB1eD7
         PBqMXU+8SeTgg/Ol8LpEZuTqSnvHF3UXV1XTdpt4ehfCYYSLmwxQVdDMuQ+/+r07rjGa
         ioM8BqTenCHYD7uWbHbXl8GF1WK772nDyB9k0LDaOCjF1HfZ1pVLzxZjL+b5KEdFRkHT
         ICgb0/7AJ2wi4exQsX+lNR+xs3R1eEQGTd677ANdRdiy+QKSWikQFafKT4yHb+gTSnDu
         CBifmwh3qIEi7XXZCLGGW6es9N7R1IoV5nEdQPZJ5PU9352j5Ln5QE9gMtOxxeit0bkF
         vsAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=fS1w4x9W5u/SBOvIdM0MH2CcotIY3Vg+sHOvEKvWrnM=;
        b=E2WcocdId0uwk59dDEMQlwL5Z70+Bv1VuVza7b0kIJ+NGp4f1dVSQ6HkHAE5Yq+6KF
         ypjpSJ330BPlWptSBuA8vqfq6+mzLYQz2d0+/t+j7pEpeANJCmcA6rGqQTIQsUlPqFE2
         cIS1/T6uo0ZRDtAfIxE7WTpCUiVFLh3j1F1c0AoiQBxmXFkA3RIdGDzYLsWZgFMlBqS8
         7Jh4KkOw0iZpTYaTpJKyV8Bp8MGQVtuFQBhAJxNnjTduzxdgZBY5TVeX5aLGQJDSVJSl
         pQd/rsmuxj6R6cEaw0ZIaNwZkIU88VjsT84StglICbD3KG9ZYrV2h15UhFjnhboRyYM4
         /Tlw==
X-Gm-Message-State: AOAM533vBB56QBPdZ8NYn8dizEBR2pAqykEB+Jy4ZaRHtn4xDEpW91wT
	xJLOPnjuDVii1/Y9/qGQumoRlw==
X-Google-Smtp-Source: ABdhPJzOjN9AkTy4a5cxZoUD5COTuNKTBRR+2yz5oBOt1Hm6GdAFuqlmJuK32i8Vo+ARHWQHh4J04Q==
X-Received: by 2002:a0c:8d82:: with SMTP id t2mr5349604qvb.62.1601158641732;
        Sat, 26 Sep 2020 15:17:21 -0700 (PDT)
Received: from ziepe.ca (hlfxns017vw-156-34-48-30.dhcp-dynamic.fibreop.ns.bellaliant.net. [156.34.48.30])
        by smtp.gmail.com with ESMTPSA id f8sm4906302qkb.123.2020.09.26.15.17.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 26 Sep 2020 15:17:21 -0700 (PDT)
Received: from jgg by mlx with local (Exim 4.94)
	(envelope-from <jgg@ziepe.ca>)
	id 1kMIVM-001SWH-Bf; Sat, 26 Sep 2020 19:17:20 -0300
Date: Sat, 26 Sep 2020 19:17:20 -0300
From: Jason Gunthorpe <jgg@ziepe.ca>
To: Dan Carpenter <dan.carpenter@oracle.com>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: =?utf-8?B?SsOpcsO0bWU=?= Glisse <jglisse@redhat.com>,
	Markus Elfring <Markus.Elfring@web.de>,
	Dan Williams <dan.j.williams@intel.com>,
	Wei Yongjun <weiyongjun1@huawei.com>,
	Ralph Campbell <rcampbell@nvidia.com>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH v3] mm/hmm/test: use after free in
 dmirror_allocate_chunk()
Message-ID: <20200926221720.GK9916@ziepe.ca>
References: <d1b31586-426a-e0b1-803e-3eff30196c05@web.de>
 <20200926121402.GA7467@kadam>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200926121402.GA7467@kadam>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Sat, Sep 26, 2020 at 03:14:02PM +0300, Dan Carpenter wrote:
> The error handling code does this:
> 
> err_free:
> 	kfree(devmem);
>         ^^^^^^^^^^^^^
> err_release:
> 	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
>                            ^^^^^^^^
> The problem is that when we use "devmem->pagemap.range.start" the
> "devmem" pointer is either NULL or freed.
> 
> Neither the allocation nor the call to request_free_mem_region() has to
> be done under the lock so I moved those to the start of the function.
> 
> Fixes: 1f9c4bb986d9 ("mm/memremap_pages: convert to 'struct range'")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
> ---
> v2: The first version introduced a locking bug
> v3: Markus Elfring pointed out that the Fixes tag was wrong.  This bug
> was in the original commit and then fixed and then re-introduced.  I was
> quite bothered by how this bug lasted so long in the source code, but
> now we know.  As soon as it is introduced we fixed it.
> 
> One problem with the kernel QC process is that I think everyone marks
> the bug as "old/dealt with" so it was only because I was added a new
> check for resource leaks that it was found when it was re-introduced.
> 
>  lib/test_hmm.c | 44 ++++++++++++++++++++++----------------------
>  1 file changed, 22 insertions(+), 22 deletions(-)

Hi Andrew, 

I don't have have any hmm related patches this cycle, can you take
this into your tree?

Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>

Thanks,
Jason