From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 464ADC6379F for ; Fri, 17 Feb 2023 16:48:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CE34E6B0071; Fri, 17 Feb 2023 11:48:29 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C6C626B0072; Fri, 17 Feb 2023 11:48:29 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B0D546B0073; Fri, 17 Feb 2023 11:48:29 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 9F9616B0071 for ; Fri, 17 Feb 2023 11:48:29 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 5EAAA16037E for ; Fri, 17 Feb 2023 16:48:29 +0000 (UTC) X-FDA: 80477367138.13.C13B77D Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by imf15.hostedemail.com (Postfix) with ESMTP id D268DA0008 for ; Fri, 17 Feb 2023 16:48:26 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=iVFzEoTN; spf=pass (imf15.hostedemail.com: domain of dave.jiang@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=dave.jiang@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676652507; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=M2JCCiM0YI1cisBWBcWNF4oTgmOnWE2S/tzkU/PLmf0=; b=uLxuk+yFmGx/Xu2uk2VOIk2vlno4mNbTTAlu406WPF79j8xihqrVpzBw49Qws/GVCmocPp 7aYz8MvQk7aeS5Y5PX5LeYACP68kYQbBJJ3dA9wkCUEOkzgwBZPUCc2qJ/LgxzjAsT5Aa+ CRS4NIDU5FsG9+CwsTBQD/dCWWa8aH0= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=iVFzEoTN; spf=pass (imf15.hostedemail.com: domain of dave.jiang@intel.com designates 134.134.136.65 as permitted sender) smtp.mailfrom=dave.jiang@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676652507; a=rsa-sha256; cv=none; b=EVVPcFjtvtfZ4BLCb+AMddepWWnTt9kr+Eq7VPIqAKmSpD0vOJLZF6uV3nxgPm4T142Foz 4CmN4MLbypp3AkjXI+b17vXQ4iumkicS4P5cV80YDcdetBWvRI5tD6W+DCmV8c7MXfqGlL eEi/hdrkfzqL87mt51EpjvzXmnN2XSI= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1676652506; x=1708188506; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=IA/4PGmAd0XvHLM9zMNTVNpe5n5IqOeMbX/Eg/2FnWc=; b=iVFzEoTNe71wRK7mFbWRHP97VCXpQ9dhwaqn9+1b9DwtE1J7Ci7d8l86 KdZeC0dOx/Q2GPcNH/ZEzhyD5xdH9UvzU3iAAZ1ERLdah3ni7JSAltZsE cp3wgUt3wKXDNR1KiBzVpiKKZk6US6hU0CmFIlm4bogpoSS7o9jfhZo9d CMN7fio/wTsE6PDUEyAwz3lKhe3swyU7InfmNCXw461KZabGh9HE3WePD C9bUZV++jtYGSFQt0QW3Gx0I/heH32GFBU8cDByPZtPnzbEov7soW29ek c+cFUREti6BQ+NH6xqWkm+edqAkCo4uU04K6UbPZkOyna0YztidEFXOmA Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10624"; a="334225266" X-IronPort-AV: E=Sophos;i="5.97,306,1669104000"; d="scan'208";a="334225266" Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Feb 2023 08:48:24 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10624"; a="734368678" X-IronPort-AV: E=Sophos;i="5.97,306,1669104000"; d="scan'208";a="734368678" Received: from djiang5-mobl3.amr.corp.intel.com (HELO [10.213.187.252]) ([10.213.187.252]) by fmsmga008-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Feb 2023 08:48:23 -0800 Message-ID: Date: Fri, 17 Feb 2023 09:48:23 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Thunderbird/102.6.0 Subject: Re: [PATCH] dax/kmem: Fix leak of memory-hotplug resources Content-Language: en-US To: Dan Williams , linux-cxl@vger.kernel.org Cc: stable@vger.kernel.org, Oscar Salvador , David Hildenbrand , Pavel Tatashin , linux-mm@kvack.org References: <167653656244.3147810.5705900882794040229.stgit@dwillia2-xfh.jf.intel.com> From: Dave Jiang In-Reply-To: <167653656244.3147810.5705900882794040229.stgit@dwillia2-xfh.jf.intel.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: otaecrnocjrhcocw3cst4ipbkantibyj X-Rspamd-Queue-Id: D268DA0008 X-HE-Tag: 1676652506-548472 X-HE-Meta: U2FsdGVkX1/mq0TyA9sqj0LhC1gTI4YfWwSqpx9K8vedW/ootc99Uflc/uTDR7MjqgFaMhADo+LXZeCbGHn+2l2PJ52RCTNt/bMEVR0ONvwsWclu4U9QHvh0QmiZ58kJV3fR9wbROcoCvdkqMt0+oL4cTLYWVR17geYDfpeLhqFD5yzviQciA47vTcv94XTceUQCk5t++jdGjsdwWv66dOLz6LobfToxkU5t6xJuzakzWUw1dTY/jHym0BHMM6EUx6Rbof4AkJ79yFP+Guu0FfOifGLR67mUdN/1Vt5oD5oftYjrJmQpYluNl4Y66lzPnm6xGsUvLiSySsPMrVL6hVet/mHC3VV1f+wXbp1+MXCenDwr8lvBDjgyyYzV/1yBLXjBvnGuUd7IJGTyMxz6BZiYh+4Ukk15zUwJtfENHEFZXUrlJKhz9w206J+hY92T0Xu6zq3P/h/5g94Lz8pMAj4mOTGRiDAiU/3Xan87PK53gBufYT/LaAsY8FU5QVLR43LCOrD4DQN+TCsOb+tOJ2TlC2RhC+Ds6SewfTLzZabCqHhN+brojRfbAl/goE1zRIy9SF0xJgxXwklNAWJxw/98CH8pXye3HwKDmQHFP2+jKFRscFnJ8TWjkPBA2fTP1ytGdQURcKTmORlJLsfieC5I/ZwKBw+TyhHspXM+3k5z6E5hxUbUiLGZRjoGzQLnUOIA1vvcPw1NBhsZ44/X3AQQ3Lt1m315rNfJokd1B8CbwHsma06GXlDEk/cMaher3Vh2Qkuz3wMad9a041LpFzIqVf4suZR4vWfp+qd1ISk7dY3ZkIrEj74tuhD09cODmZfnAG1IFq8svmLFUATXibFuE4evg1E75sgJ40fPapZAjss9bPIHk3BsPj7CuZPbc5LC4xspSYpgI1qdQ7eTOOJjocuj8Crj2vyHlLIHHQGRugmPyP7udy7/3wOobVMa7EIOs7LCaaJMpNzrzfq RYkQk35F 2KP5ojxdP4B/zh2/qc/Rq8IGQT0CSuhs3Et3UR4xR1h6SG622t0j4SKDv9pElXp53vd9AJiYDdcy65BVKqosodeTTMcR3bcuvKH0Xkq6Vt+4QXQ3UO6K2LEtk8e6BkKw9TH/kotM1JVPXwlWdILQucskrSU8CmQYn/c1vLMkiqNNOtHxpijox6HGd4ILDXdLU8HpEGw0SNcWXNGXrOjQlf7CLsz61Uki/AeEK2dzeTJwpU0RZZnTiadruDM6s35F/4nRZBIocNPDcC1g7AejQNS5kEaRqJVlQxOZcLzCFM0NaC+OFU1Cr2z8mjuqdaKvV8NZmxzFbmeBaP+0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2/16/23 1:36 AM, Dan Williams wrote: > While experimenting with CXL region removal the following corruption of > /proc/iomem appeared. > > Before: > f010000000-f04fffffff : CXL Window 0 > f010000000-f02fffffff : region4 > f010000000-f02fffffff : dax4.0 > f010000000-f02fffffff : System RAM (kmem) > > After (modprobe -r cxl_test): > f010000000-f02fffffff : **redacted binary garbage** > f010000000-f02fffffff : System RAM (kmem) > > ...and testing further the same is visible with persistent memory > assigned to kmem: > > Before: > 480000000-243fffffff : Persistent Memory > 480000000-57e1fffff : namespace3.0 > 580000000-243fffffff : dax3.0 > 580000000-243fffffff : System RAM (kmem) > > After (ndctl disable-region all): > 480000000-243fffffff : Persistent Memory > 580000000-243fffffff : ***redacted binary garbage*** > 580000000-243fffffff : System RAM (kmem) > > The corrupted data is from a use-after-free of the "dax4.0" and "dax3.0" > resources, and it also shows that the "System RAM (kmem)" resource is > not being removed. The bug does not appear after "modprobe -r kmem", it > requires the parent of "dax4.0" and "dax3.0" to be removed which > re-parents the leaked "System RAM (kmem)" instances. Those in turn > reference the freed resource as a parent. > > First up for the fix is release_mem_region_adjustable() needs to > reliably delete the resource inserted by add_memory_driver_managed(). > That is thwarted by a check for IORESOURCE_SYSRAM that predates the > dax/kmem driver, from commit: > > 65c78784135f ("kernel, resource: check for IORESOURCE_SYSRAM in release_mem_region_adjustable") > > That appears to be working around the behavior of HMM's > "MEMORY_DEVICE_PUBLIC" facility that has since been deleted. With that > check removed the "System RAM (kmem)" resource gets removed, but > corruption still occurs occasionally because the "dax" resource is not > reliably removed. > > The dax range information is freed before the device is unregistered, so > the driver can not reliably recall (another use after free) what it is > meant to release. Lastly if that use after free got lucky, the driver > was covering up the leak of "System RAM (kmem)" due to its use of > release_resource() which detaches, but does not free, child resources. > The switch to remove_resource() forces remove_memory() to be responsible > for the deletion of the resource added by add_memory_driver_managed(). > > Fixes: c2f3011ee697 ("device-dax: add an allocation interface for device-dax instances") > Cc: > Cc: Oscar Salvador > Cc: David Hildenbrand > Cc: Pavel Tatashin > Signed-off-by: Dan Williams Reviewed-by: Dave Jiang > --- > drivers/dax/bus.c | 2 +- > drivers/dax/kmem.c | 4 ++-- > kernel/resource.c | 14 -------------- > 3 files changed, 3 insertions(+), 17 deletions(-) > > diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c > index 012d576004e9..67a64f4c472d 100644 > --- a/drivers/dax/bus.c > +++ b/drivers/dax/bus.c > @@ -441,8 +441,8 @@ static void unregister_dev_dax(void *dev) > dev_dbg(dev, "%s\n", __func__); > > kill_dev_dax(dev_dax); > - free_dev_dax_ranges(dev_dax); > device_del(dev); > + free_dev_dax_ranges(dev_dax); > put_device(dev); > } > > diff --git a/drivers/dax/kmem.c b/drivers/dax/kmem.c > index 918d01d3fbaa..7b36db6f1cbd 100644 > --- a/drivers/dax/kmem.c > +++ b/drivers/dax/kmem.c > @@ -146,7 +146,7 @@ static int dev_dax_kmem_probe(struct dev_dax *dev_dax) > if (rc) { > dev_warn(dev, "mapping%d: %#llx-%#llx memory add failed\n", > i, range.start, range.end); > - release_resource(res); > + remove_resource(res); > kfree(res); > data->res[i] = NULL; > if (mapped) > @@ -195,7 +195,7 @@ static void dev_dax_kmem_remove(struct dev_dax *dev_dax) > > rc = remove_memory(range.start, range_len(&range)); > if (rc == 0) { > - release_resource(data->res[i]); > + remove_resource(data->res[i]); > kfree(data->res[i]); > data->res[i] = NULL; > success++; > diff --git a/kernel/resource.c b/kernel/resource.c > index ddbbacb9fb50..b1763b2fd7ef 100644 > --- a/kernel/resource.c > +++ b/kernel/resource.c > @@ -1343,20 +1343,6 @@ void release_mem_region_adjustable(resource_size_t start, resource_size_t size) > continue; > } > > - /* > - * All memory regions added from memory-hotplug path have the > - * flag IORESOURCE_SYSTEM_RAM. If the resource does not have > - * this flag, we know that we are dealing with a resource coming > - * from HMM/devm. HMM/devm use another mechanism to add/release > - * a resource. This goes via devm_request_mem_region and > - * devm_release_mem_region. > - * HMM/devm take care to release their resources when they want, > - * so if we are dealing with them, let us just back off here. > - */ > - if (!(res->flags & IORESOURCE_SYSRAM)) { > - break; > - } > - > if (!(res->flags & IORESOURCE_MEM)) > break; > >