| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 May 2019 11:12:14 -0700
From: Ralph Campbell <rcampbell@...dia.com>
To: Souptick Joarder <jrdr.linux@...il.com>
CC: Linux-MM <linux-mm@...ck.org>, <linux-kernel@...r.kernel.org>,
John Hubbard <jhubbard@...dia.com>,
Ira Weiny <ira.weiny@...el.com>,
Dan Williams <dan.j.williams@...el.com>,
Arnd Bergmann <arnd@...db.de>,
Balbir Singh <bsingharora@...il.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
Matthew Wilcox <willy@...radead.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH 4/5] mm/hmm: hmm_vma_fault() doesn't always call
hmm_range_unregister()
On 5/7/19 6:15 AM, Souptick Joarder wrote:
> On Tue, May 7, 2019 at 5:00 AM <rcampbell@...dia.com> wrote:
>>
>> From: Ralph Campbell <rcampbell@...dia.com>
>>
>> The helper function hmm_vma_fault() calls hmm_range_register() but is
>> missing a call to hmm_range_unregister() in one of the error paths.
>> This leads to a reference count leak and ultimately a memory leak on
>> struct hmm.
>>
>> Always call hmm_range_unregister() if hmm_range_register() succeeded.
>
> How about * Call hmm_range_unregister() in error path if
> hmm_range_register() succeeded* ?
Sure, sounds good.
I'll include that in v2.
>>
>> Signed-off-by: Ralph Campbell <rcampbell@...dia.com>
>> Cc: John Hubbard <jhubbard@...dia.com>
>> Cc: Ira Weiny <ira.weiny@...el.com>
>> Cc: Dan Williams <dan.j.williams@...el.com>
>> Cc: Arnd Bergmann <arnd@...db.de>
>> Cc: Balbir Singh <bsingharora@...il.com>
>> Cc: Dan Carpenter <dan.carpenter@...cle.com>
>> Cc: Matthew Wilcox <willy@...radead.org>
>> Cc: Souptick Joarder <jrdr.linux@...il.com>
>> Cc: Andrew Morton <akpm@...ux-foundation.org>
>> ---
>> include/linux/hmm.h | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/linux/hmm.h b/include/linux/hmm.h
>> index 35a429621e1e..fa0671d67269 100644
>> --- a/include/linux/hmm.h
>> +++ b/include/linux/hmm.h
>> @@ -559,6 +559,7 @@ static inline int hmm_vma_fault(struct hmm_range *range, bool block)
>> return (int)ret;
>>
>> if (!hmm_range_wait_until_valid(range, HMM_RANGE_DEFAULT_TIMEOUT)) {
>> + hmm_range_unregister(range);
>> /*
>> * The mmap_sem was taken by driver we release it here and
>> * returns -EAGAIN which correspond to mmap_sem have been
>> @@ -570,13 +571,13 @@ static inline int hmm_vma_fault(struct hmm_range *range, bool block)
>>
>> ret = hmm_range_fault(range, block);
>> if (ret <= 0) {
>> + hmm_range_unregister(range);
>
> what is the reason to moved it up ?
I moved it up because the normal calling pattern is:
down_read(&mm->mmap_sem)
hmm_vma_fault()
hmm_range_register()
hmm_range_fault()
hmm_range_unregister()
up_read(&mm->mmap_sem)
I don't think it is a bug to unlock mmap_sem and then unregister,
it is just more consistent nesting.
>> if (ret == -EBUSY || !ret) {
>> /* Same as above, drop mmap_sem to match old API. */
>> up_read(&range->vma->vm_mm->mmap_sem);
>> ret = -EBUSY;
>> } else if (ret == -EAGAIN)
>> ret = -EBUSY;
>> - hmm_range_unregister(range);
>> return ret;
>> }
>> return 0;
>> --
>> 2.20.1
>>
Powered by blists - more mailing lists