From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58DD0C433DF for ; Thu, 21 May 2020 00:46:11 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 11D2F20756 for ; Thu, 21 May 2020 00:46:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="UMOfpgdX" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 11D2F20756 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 9891780008; Wed, 20 May 2020 20:46:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 93A3580007; Wed, 20 May 2020 20:46:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 876C180008; Wed, 20 May 2020 20:46:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0021.hostedemail.com [216.40.44.21]) by kanga.kvack.org (Postfix) with ESMTP id 742CC80007 for ; Wed, 20 May 2020 20:46:10 -0400 (EDT) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 2951F181AEF1F for ; Thu, 21 May 2020 00:46:10 +0000 (UTC) X-FDA: 76838884500.27.value88_8d21e2b034500 X-HE-Tag: value88_8d21e2b034500 X-Filterd-Recvd-Size: 3203 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf49.hostedemail.com (Postfix) with ESMTP for ; Thu, 21 May 2020 00:46:09 +0000 (UTC) Received: from localhost.localdomain (c-73-231-172-41.hsd1.ca.comcast.net [73.231.172.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A898E2070A; Thu, 21 May 2020 00:46:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1590021968; bh=osx0Bx6ISvna9elYXzn/sMLvIoGqkbTrrF7FOlAJZCc=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=UMOfpgdX5afwUXPRWxjF1Iu2UXbYmfoB7ypwPyKErmgRJPJwVvIh0pPlaMloYKNn6 7M7cnqV61UX+1klzrWtz6CWwcqbXxWk+3w3HRJJO/xG1a1U0vRWJDCGSP3ECtsIQNF 10LtfbaM3EGtgFyo+Rp+hlJxA6a2cLL+DJVtVZQM= Date: Wed, 20 May 2020 17:46:08 -0700 From: Andrew Morton To: vitaly.wool@konsulko.com Cc: linux-mm@kvack.org, stable@kernel.org, cai@lca.pw, shentino@gmail.com, Uladzislau Rezki Subject: Re: [PATCH] z3fold: fix use-after-free when freeing handles Message-Id: <20200520174608.a9a9b60e30d3d372ced5b0e3@linux-foundation.org> In-Reply-To: <20200520082100.28876-1-vitaly.wool@konsulko.com> References: <20200520082100.28876-1-vitaly.wool@konsulko.com> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.31; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 20 May 2020 11:21:00 +0300 vitaly.wool@konsulko.com wrote: > From: Uladzislau Rezki > > free_handle() for a foreign handle may race with inter-page > compaction, what can lead to memory corruption. To avoid that, > take write lock not read lock in free_handle to be synchronized > with __release_z3fold_page(). > > For example KASAN can detect it: > > [ 33.723357] ================================================================== > [ 33.723401] BUG: KASAN: use-after-free in LZ4_decompress_safe+0x2c4/0x3b8 > [ 33.723418] Read of size 1 at addr ffffffc976695ca3 by task GoogleApiHandle/4121 > [ 33.723428] > [ 33.723449] CPU: 0 PID: 4121 Comm: GoogleApiHandle Tainted: P S OE 4.19.81-perf+ #162 > [ 33.723461] Hardware name: Sony Mobile Communications. PDX-203(KONA) (DT) > [ 33.723473] Call trace: > [ 33.723495] dump_backtrace+0x0/0x288 > [ 33.723512] show_stack+0x14/0x20 > [ 33.723533] dump_stack+0xe4/0x124 > [ 33.723551] print_address_description+0x80/0x2e0 > [ 33.723566] kasan_report+0x268/0x2d0 > [ 33.723584] __asan_load1+0x4c/0x58 > [ 33.723601] LZ4_decompress_safe+0x2c4/0x3b8 > [ 33.723619] lz4_decompress_crypto+0x3c/0x70 > [ 33.723636] crypto_decompress+0x58/0x70 > [ 33.723656] zcomp_decompress+0xd4/0x120 > ... > > Apart from that, initialize zhdr->mapped_count in init_z3fold_page() > and remove "newpage" variable because it is not used anywhere. > > Signed-off-by: Uladzislau Rezki > Signed-off-by: Vitaly Wool I assume that a cc:stable is appropriate here?