From: Uladzislau Rezki <urezki@gmail.com>
To: Vijayanand Jitta <vjitta@codeaurora.org>
Cc: Uladzislau Rezki <urezki@gmail.com>,
akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, vinmenon@codeaurora.org
Subject: Re: [PATCH] mm: vmalloc: Prevent use after free in _vm_unmap_aliases
Date: Wed, 24 Mar 2021 14:32:42 +0100 [thread overview]
Message-ID: <20210324133242.GA1906@pc638.lan> (raw)
In-Reply-To: <803dc8ec-d1a2-ed26-ddab-a5258e60d318@codeaurora.org>
>
> On 3/18/2021 10:29 PM, Uladzislau Rezki wrote:
> > On Thu, Mar 18, 2021 at 03:38:25PM +0530, vjitta@codeaurora.org wrote:
> >> From: Vijayanand Jitta <vjitta@codeaurora.org>
> >>
> >> A potential use after free can occur in _vm_unmap_aliases
> >> where an already freed vmap_area could be accessed, Consider
> >> the following scenario:
> >>
> >> Process 1 Process 2
> >>
> >> __vm_unmap_aliases __vm_unmap_aliases
> >> purge_fragmented_blocks_allcpus rcu_read_lock()
> >> rcu_read_lock()
> >> list_del_rcu(&vb->free_list)
> >> list_for_each_entry_rcu(vb .. )
> >> __purge_vmap_area_lazy
> >> kmem_cache_free(va)
> >> va_start = vb->va->va_start
> > Or maybe we should switch to kfree_rcu() instead of kmem_cache_free()?
> >
> > --
> > Vlad Rezki
> >
>
> Thanks for suggestion.
>
> I see free_vmap_area_lock (spinlock) is taken in __purge_vmap_area_lazy
> while it loops through list and calls kmem_cache_free on va's. So, looks
> like we can't replace it with kfree_rcu as it might cause scheduling
> within atomic context.
>
A double argument of the kfree_rcu() is a safe way to be used from atomic
contexts, it does not use any sleeping primitives, so it can be replaced.
From the other hand i see that per-cpu KVA allocator is only one user of
the RCU and your change fixes it. Feel free to use:
Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Thanks.
--
Vlad Rezki
prev parent reply other threads:[~2021-03-24 13:32 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-18 10:08 vjitta
2021-03-18 16:59 ` Uladzislau Rezki
2021-03-24 3:29 ` Vijayanand Jitta
2021-03-24 13:32 ` Uladzislau Rezki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210324133242.GA1906@pc638.lan \
--to=urezki@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=vinmenon@codeaurora.org \
--cc=vjitta@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox