From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Ax4L=7D=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.9 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BCD53C433DF
	for <linux-mm@archiver.kernel.org>; Thu, 21 May 2020 08:05:09 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 572FE2072C
	for <linux-mm@archiver.kernel.org>; Thu, 21 May 2020 08:05:09 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=konsulko.com header.i=@konsulko.com header.b="RLczTDit"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 572FE2072C
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=konsulko.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id BA3768001F; Thu, 21 May 2020 04:05:08 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B2D1380007; Thu, 21 May 2020 04:05:08 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9F5F58001F; Thu, 21 May 2020 04:05:08 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0066.hostedemail.com [216.40.44.66])
	by kanga.kvack.org (Postfix) with ESMTP id 83B8E80007
	for <linux-mm@kvack.org>; Thu, 21 May 2020 04:05:08 -0400 (EDT)
Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 39C4D181AEF1E
	for <linux-mm@kvack.org>; Thu, 21 May 2020 08:05:08 +0000 (UTC)
X-FDA: 76839990696.24.jar25_2ccbc57de8449
X-HE-Tag: jar25_2ccbc57de8449
X-Filterd-Recvd-Size: 4473
Received: from mail-lj1-f193.google.com (mail-lj1-f193.google.com [209.85.208.193])
	by imf32.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Thu, 21 May 2020 08:05:07 +0000 (UTC)
Received: by mail-lj1-f193.google.com with SMTP id w10so7212256ljo.0
        for <linux-mm@kvack.org>; Thu, 21 May 2020 01:05:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=konsulko.com; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=xwYyrdhcgxttru6O+zgCb+WawkwtRk+mCGKDAHM5bjg=;
        b=RLczTDitzOsdKHBVwtAU6380+nHepV7XkPGV8MMaaAydkfJSAARhHAZIw7IH7Ycsey
         PeTqIpaoFhQb5A0T3pOqbpjS3khvJjeSJaOqOaHxGFqnCKkx9Wo9tgOSgCyHlrkdpgzu
         Gr7MnhJK2AYV0TC6MX7s9Kj3tiArQX1d8hXC0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=xwYyrdhcgxttru6O+zgCb+WawkwtRk+mCGKDAHM5bjg=;
        b=LVUUypmuteAQgd/qZ5PlwKD/eqzD7lbQ6aQYVL3TpIL75n+iXrKrKjmwlWORphnX2u
         xDrqwDinLrbfz6IqVaHLaIEoXezClUFR478390KXn7lroZ4otPCqQiEUgdPG2CGC/ApM
         u/ZJON558J7KglEzsUD2s16EYALzqNfjjF/NxbbWCiAOZ50zKIorwGbAc/IVY2gvRqMp
         Bx/m5+vpEjKtVb6RxUOayJqSnfL03+wbKZXHBhgzpN/nJu69UQ9AXFfJdld2/L1NfkdJ
         s1VjS1qyCn7vxbQs0/cYKNr0gJe8us047AlES3cRKMln2qkQDzlVoNgj0Z3upGB5H0a2
         mk/g==
X-Gm-Message-State: AOAM530r6VRZunwdpwt8JZUPI7XRiTqyEUbJpgTi9MgXlJVHlihHtx9B
	9chsyh3DkUL9N7nzCFRkat/SlK4UBm8N7APj2yvR0Q==
X-Google-Smtp-Source: ABdhPJwWACCkuPtBimFng3XHtNS/Ox35b9wf3sQ3iZh8v8PmbrR6XblBCVE5Cod3uKBxri/rcESLvsDGj0dVX4QW2dY=
X-Received: by 2002:a2e:8154:: with SMTP id t20mr2433162ljg.326.1590048305139;
 Thu, 21 May 2020 01:05:05 -0700 (PDT)
MIME-Version: 1.0
References: <20200520082100.28876-1-vitaly.wool@konsulko.com> <20200520174608.a9a9b60e30d3d372ced5b0e3@linux-foundation.org>
In-Reply-To: <20200520174608.a9a9b60e30d3d372ced5b0e3@linux-foundation.org>
From: Vitaly Wool <vitaly.wool@konsulko.com>
Date: Thu, 21 May 2020 10:04:53 +0200
Message-ID: <CAM4kBB+hGGfnPMkSD6uGmFWTDagPhM2mWDHSBh+y7kK_h4we9g@mail.gmail.com>
Subject: Re: [PATCH] z3fold: fix use-after-free when freeing handles
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Linux-MM <linux-mm@kvack.org>, stable@kernel.org, Qian Cai <cai@lca.pw>, 
	Raymond Jennings <shentino@gmail.com>, Uladzislau Rezki <uladzislau.rezki@sony.com>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, May 21, 2020 at 2:46 AM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Wed, 20 May 2020 11:21:00 +0300 vitaly.wool@konsulko.com wrote:
>
> > From: Uladzislau Rezki <uladzislau.rezki@sony.com>
> >
> > free_handle() for a foreign handle may race with inter-page
> > compaction, what can lead to memory corruption. To avoid that,
> > take write lock not read lock in free_handle to be synchronized
> > with __release_z3fold_page().
> >
> > For example KASAN can detect it:
> >
> > [   33.723357] ==================================================================
> > [   33.723401] BUG: KASAN: use-after-free in LZ4_decompress_safe+0x2c4/0x3b8
> > [   33.723418] Read of size 1 at addr ffffffc976695ca3 by task GoogleApiHandle/4121
> > [   33.723428]
> > [   33.723449] CPU: 0 PID: 4121 Comm: GoogleApiHandle Tainted: P S         OE     4.19.81-perf+ #162
> > [   33.723461] Hardware name: Sony Mobile Communications. PDX-203(KONA) (DT)
> > [   33.723473] Call trace:
> > [   33.723495] dump_backtrace+0x0/0x288
> > [   33.723512] show_stack+0x14/0x20
> > [   33.723533] dump_stack+0xe4/0x124
> > [   33.723551] print_address_description+0x80/0x2e0
> > [   33.723566] kasan_report+0x268/0x2d0
> > [   33.723584] __asan_load1+0x4c/0x58
> > [   33.723601] LZ4_decompress_safe+0x2c4/0x3b8
> > [   33.723619] lz4_decompress_crypto+0x3c/0x70
> > [   33.723636] crypto_decompress+0x58/0x70
> > [   33.723656] zcomp_decompress+0xd4/0x120
> > ...
> >
> > Apart from that, initialize zhdr->mapped_count in init_z3fold_page()
> > and remove "newpage" variable because it is not used anywhere.
> >
> > Signed-off-by: Uladzislau Rezki <uladzislau.rezki@sony.com>
> > Signed-off-by: Vitaly Wool <vitaly.wool@konsulko.com>
>
> I assume that a cc:stable is appropriate here?

Absolutely. stable was in fact in CC: but it didn't reflect in the
patch for some reason. Thanks!

~Vitaly