From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=casH=DG=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AAD4BC2D0A8
	for <linux-mm@archiver.kernel.org>; Tue, 29 Sep 2020 01:26:12 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 34AC12083B
	for <linux-mm@archiver.kernel.org>; Tue, 29 Sep 2020 01:26:12 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=intel-com.20150623.gappssmtp.com header.i=@intel-com.20150623.gappssmtp.com header.b="v+cmjGck"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 34AC12083B
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 4FD3A6B005C; Mon, 28 Sep 2020 21:26:11 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 4AD5B6B005D; Mon, 28 Sep 2020 21:26:11 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 39B8F6B0062; Mon, 28 Sep 2020 21:26:11 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0112.hostedemail.com [216.40.44.112])
	by kanga.kvack.org (Postfix) with ESMTP id 1F6046B005C
	for <linux-mm@kvack.org>; Mon, 28 Sep 2020 21:26:11 -0400 (EDT)
Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id C9EEF181AE868
	for <linux-mm@kvack.org>; Tue, 29 Sep 2020 01:26:10 +0000 (UTC)
X-FDA: 77314358100.03.pull17_26183bd27186
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin03.hostedemail.com (Postfix) with ESMTP id A5D0728A4E8
	for <linux-mm@kvack.org>; Tue, 29 Sep 2020 01:26:10 +0000 (UTC)
X-HE-Tag: pull17_26183bd27186
X-Filterd-Recvd-Size: 5186
Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com [209.85.208.67])
	by imf08.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 29 Sep 2020 01:26:09 +0000 (UTC)
Received: by mail-ed1-f67.google.com with SMTP id i1so4539614edv.2
        for <linux-mm@kvack.org>; Mon, 28 Sep 2020 18:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=intel-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=9+IiWJjSCsa3H211qi8G/I3o2LKKqrVZtYC6QtTBudg=;
        b=v+cmjGckHAAscgdJCKKcOpkZt5W7kj9wtG0S0i5i8CU6FJQsAKRy0mG7lHaKs9P1Rm
         FNf09YyuhrUkfXx4LCs0rdVCfFh3rbzyi+htTSkyDUaG/YkwS8GYQKtWsV1awNRb1W0s
         t//fBVM6GB2s48wH54hOLPGXPZ4cT3IIdMkWlARF50xs3TltKeawp1Ayud3KM/hxDUX5
         tU86Mqd0N9i21fvekjDYLCyGHQEWMrbyk+RIjUQNURCFlJFqz+QcWU4IYXnECq82TNis
         rXh05Iqs0TZGI2cm2EqJzQy8SyOTzs5asGQkpXRoUCQntEk2L9nPPkYQ2RttFm2HJV7b
         Bk4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=9+IiWJjSCsa3H211qi8G/I3o2LKKqrVZtYC6QtTBudg=;
        b=QfbEqkene3+V3Ba5F1KcSjxzHnIuF6KCA0AzYrlu9oTaRVb3BnlPVgTCNu/aVV1b+R
         yYlIOHVlch9Nafa58IdTHrlnP6MtmTPfywM/zJ5mSSaW5H8Nt+y4x2KEbQSngUE/RFxg
         3KHvoM0LPYtbCa/FpBq9GxwCllUBzwa0Ck21lMIJGljUmsIpF8t5XFR5M34bDjFxG9v5
         zNPMvNhzxk+jZy0+8sn4SKmIp/0eDuTdj5InVRme8ngU9+2CGFSnGLeS/sPHQ/nnNRFa
         7LUCUhKZCH5RBPXd6EUiA+6nPkYLsNnGP/rOv3i+MO2Y+nQNL/PIXW3zJ4IZmdr65nFV
         TGWg==
X-Gm-Message-State: AOAM530f2YIPH8rgnZNzbaUTTWGIrf9A03B/IKdd2LODrTyGTMOlkbfn
	0lkbgOYjjK4kC6hCy4Ty1rhkaXMd0uHMtVttQvXjeQ==
X-Google-Smtp-Source: ABdhPJyukjgfeJlTRPeGdPIi9Phg1aw79cup8F0sTHp1XtOitP/5r3JajS/c5S9Voy8qaoMMFVj4pyr1k2fKkYLBhkg=
X-Received: by 2002:a05:6402:3192:: with SMTP id di18mr783128edb.116.1601342768237;
 Mon, 28 Sep 2020 18:26:08 -0700 (PDT)
MIME-Version: 1.0
References: <d1b31586-426a-e0b1-803e-3eff30196c05@web.de> <20200926121402.GA7467@kadam>
 <20200926221720.GK9916@ziepe.ca> <20200928175237.6b3024fe6ad96d70c75d5de1@linux-foundation.org>
In-Reply-To: <20200928175237.6b3024fe6ad96d70c75d5de1@linux-foundation.org>
From: Dan Williams <dan.j.williams@intel.com>
Date: Mon, 28 Sep 2020 18:25:57 -0700
Message-ID: <CAPcyv4gnUrpGrrk=zq8_OTU6+448AMue+w93vB2dQM-uauR7RQ@mail.gmail.com>
Subject: Re: [PATCH v3] mm/hmm/test: use after free in dmirror_allocate_chunk()
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>, Dan Carpenter <dan.carpenter@oracle.com>, 
	=?UTF-8?B?SsOpcsO0bWUgR2xpc3Nl?= <jglisse@redhat.com>, 
	Markus Elfring <Markus.Elfring@web.de>, Wei Yongjun <weiyongjun1@huawei.com>, 
	Ralph Campbell <rcampbell@nvidia.com>, Linux MM <linux-mm@kvack.org>, 
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>, kernel-janitors@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Sep 28, 2020 at 5:52 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Sat, 26 Sep 2020 19:17:20 -0300 Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> > On Sat, Sep 26, 2020 at 03:14:02PM +0300, Dan Carpenter wrote:
> > > The error handling code does this:
> > >
> > > err_free:
> > >     kfree(devmem);
> > >         ^^^^^^^^^^^^^
> > > err_release:
> > >     release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
> > >                            ^^^^^^^^
> > > The problem is that when we use "devmem->pagemap.range.start" the
> > > "devmem" pointer is either NULL or freed.
> > >
> > > Neither the allocation nor the call to request_free_mem_region() has to
> > > be done under the lock so I moved those to the start of the function.
> > >
> > > Fixes: 1f9c4bb986d9 ("mm/memremap_pages: convert to 'struct range'")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
> > > ---
> > > v2: The first version introduced a locking bug
> > > v3: Markus Elfring pointed out that the Fixes tag was wrong.  This bug
> > > was in the original commit and then fixed and then re-introduced.  I was
> > > quite bothered by how this bug lasted so long in the source code, but
> > > now we know.  As soon as it is introduced we fixed it.
> > >
> > > One problem with the kernel QC process is that I think everyone marks
> > > the bug as "old/dealt with" so it was only because I was added a new
> > > check for resource leaks that it was found when it was re-introduced.
> > >
> > >  lib/test_hmm.c | 44 ++++++++++++++++++++++----------------------
> > >  1 file changed, 22 insertions(+), 22 deletions(-)
> >
> > Hi Andrew,
> >
> > I don't have have any hmm related patches this cycle, can you take
> > this into your tree?
> >
> > Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
>
> Thanks.
>
> It's actually a fix against Dan Williams' -mm patch "mm/memremap_pages:
> convert to 'struct range'"

Yes, sorry, for the fix:

Acked-by: Dan Williams <dan.j.williams@intel.com>