Re: [PATCH v2] mm/hmm/test: use after free in dmirror_allocate_chunk()

Re: [PATCH v2] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Markus Elfring]

> Neither the allocation nor the call to request_free_mem_region() has to
> be done under the lock so I moved those to the start of the function.

Can this information become relevant for another update step?


> Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM")

I find this commit reference interesting somehow.
How do you think about the commit 786ae133e07f2a6b352a0efad16b555ee45a2898
("lib: fix test_hmm.c reference after free" from 2020-06-26)
and the commit 1f9c4bb986d978a5e39153b39a71c9d098b65c5c ("mm/memremap_pages:
convert to 'struct range'" from 2020-09-23) for your update suggestion?

Regards,
Markus

[PATCH v3] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Dan Carpenter]

The error handling code does this:

err_free:
	kfree(devmem);
        ^^^^^^^^^^^^^
err_release:
	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
                           ^^^^^^^^
The problem is that when we use "devmem->pagemap.range.start" the
"devmem" pointer is either NULL or freed.

Neither the allocation nor the call to request_free_mem_region() has to
be done under the lock so I moved those to the start of the function.

Fixes: 1f9c4bb986d9 ("mm/memremap_pages: convert to 'struct range'")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
---
v2: The first version introduced a locking bug
v3: Markus Elfring pointed out that the Fixes tag was wrong.  This bug
was in the original commit and then fixed and then re-introduced.  I was
quite bothered by how this bug lasted so long in the source code, but
now we know.  As soon as it is introduced we fixed it.

One problem with the kernel QC process is that I think everyone marks
the bug as "old/dealt with" so it was only because I was added a new
check for resource leaks that it was found when it was re-introduced.

 lib/test_hmm.c | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/lib/test_hmm.c b/lib/test_hmm.c
index c8133f50160b..e151a7f10519 100644
--- a/lib/test_hmm.c
+++ b/lib/test_hmm.c
@@ -459,6 +459,22 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
 	unsigned long pfn_last;
 	void *ptr;
 
+	devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
+	if (!devmem)
+		return -ENOMEM;
+
+	res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
+				      "hmm_dmirror");
+	if (IS_ERR(res))
+		goto err_devmem;
+
+	devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
+	devmem->pagemap.range.start = res->start;
+	devmem->pagemap.range.end = res->end;
+	devmem->pagemap.nr_range = 1;
+	devmem->pagemap.ops = &dmirror_devmem_ops;
+	devmem->pagemap.owner = mdevice;
+
 	mutex_lock(&mdevice->devmem_lock);
 
 	if (mdevice->devmem_count == mdevice->devmem_capacity) {
@@ -471,30 +487,14 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
 				sizeof(new_chunks[0]) * new_capacity,
 				GFP_KERNEL);
 		if (!new_chunks)
-			goto err;
+			goto err_release;
 		mdevice->devmem_capacity = new_capacity;
 		mdevice->devmem_chunks = new_chunks;
 	}
 
-	res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
-					"hmm_dmirror");
-	if (IS_ERR(res))
-		goto err;
-
-	devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
-	if (!devmem)
-		goto err_release;
-
-	devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
-	devmem->pagemap.range.start = res->start;
-	devmem->pagemap.range.end = res->end;
-	devmem->pagemap.nr_range = 1;
-	devmem->pagemap.ops = &dmirror_devmem_ops;
-	devmem->pagemap.owner = mdevice;
-
 	ptr = memremap_pages(&devmem->pagemap, numa_node_id());
 	if (IS_ERR(ptr))
-		goto err_free;
+		goto err_release;
 
 	devmem->mdevice = mdevice;
 	pfn_first = devmem->pagemap.range.start >> PAGE_SHIFT;
@@ -525,12 +525,12 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
 
 	return true;
 
-err_free:
-	kfree(devmem);
 err_release:
-	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
-err:
 	mutex_unlock(&mdevice->devmem_lock);
+	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
+err_devmem:
+	kfree(devmem);
+
 	return false;
 }
 
-- 
2.28.0

Re: [PATCH v3] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Markus Elfring]

> One problem with the kernel QC process is that I think everyone marks
> the bug as "old/dealt with"

Will this view trigger any more clarifications?


>                             so it was only because I was added a new
> check for resource leaks that it was found when it was re-introduced.

I would like to point once more out that the commit 786ae133e07f2a6b352a0efad16b555ee45a2898
("lib: fix test_hmm.c reference after free" from 2020-06-26)
indicated questionable implementation details according to a coccicheck run.
The available scripts for the semantic patch language can also remind you again
for desirable software improvements.

Examples:
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/coccinelle/free/kfree.cocci?id=7c7ec3226f5f33f9c050d85ec20f18419c622ad6#n2
* https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/coccinelle/null/deref_null.cocci?id=7c7ec3226f5f33f9c050d85ec20f18419c622ad6#n3


Will any more adjustments be achieved with the help of advanced source code
analysis tools?

Regards,
Markus

Re: [PATCH v3] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Jason Gunthorpe]

On Sat, Sep 26, 2020 at 03:14:02PM +0300, Dan Carpenter wrote:
> The error handling code does this:
> 
> err_free:
> 	kfree(devmem);
>         ^^^^^^^^^^^^^
> err_release:
> 	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
>                            ^^^^^^^^
> The problem is that when we use "devmem->pagemap.range.start" the
> "devmem" pointer is either NULL or freed.
> 
> Neither the allocation nor the call to request_free_mem_region() has to
> be done under the lock so I moved those to the start of the function.
> 
> Fixes: 1f9c4bb986d9 ("mm/memremap_pages: convert to 'struct range'")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
> ---
> v2: The first version introduced a locking bug
> v3: Markus Elfring pointed out that the Fixes tag was wrong.  This bug
> was in the original commit and then fixed and then re-introduced.  I was
> quite bothered by how this bug lasted so long in the source code, but
> now we know.  As soon as it is introduced we fixed it.
> 
> One problem with the kernel QC process is that I think everyone marks
> the bug as "old/dealt with" so it was only because I was added a new
> check for resource leaks that it was found when it was re-introduced.
> 
>  lib/test_hmm.c | 44 ++++++++++++++++++++++----------------------
>  1 file changed, 22 insertions(+), 22 deletions(-)

Hi Andrew, 

I don't have have any hmm related patches this cycle, can you take
this into your tree?

Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>

Thanks,
Jason

Re: [PATCH v3] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Andrew Morton]

On Sat, 26 Sep 2020 19:17:20 -0300 Jason Gunthorpe <jgg@ziepe.ca> wrote:

> On Sat, Sep 26, 2020 at 03:14:02PM +0300, Dan Carpenter wrote:
> > The error handling code does this:
> > 
> > err_free:
> > 	kfree(devmem);
> >         ^^^^^^^^^^^^^
> > err_release:
> > 	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
> >                            ^^^^^^^^
> > The problem is that when we use "devmem->pagemap.range.start" the
> > "devmem" pointer is either NULL or freed.
> > 
> > Neither the allocation nor the call to request_free_mem_region() has to
> > be done under the lock so I moved those to the start of the function.
> > 
> > Fixes: 1f9c4bb986d9 ("mm/memremap_pages: convert to 'struct range'")
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
> > ---
> > v2: The first version introduced a locking bug
> > v3: Markus Elfring pointed out that the Fixes tag was wrong.  This bug
> > was in the original commit and then fixed and then re-introduced.  I was
> > quite bothered by how this bug lasted so long in the source code, but
> > now we know.  As soon as it is introduced we fixed it.
> > 
> > One problem with the kernel QC process is that I think everyone marks
> > the bug as "old/dealt with" so it was only because I was added a new
> > check for resource leaks that it was found when it was re-introduced.
> > 
> >  lib/test_hmm.c | 44 ++++++++++++++++++++++----------------------
> >  1 file changed, 22 insertions(+), 22 deletions(-)
> 
> Hi Andrew, 
> 
> I don't have have any hmm related patches this cycle, can you take
> this into your tree?
> 
> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>

Thanks.

It's actually a fix against Dan Williams' -mm patch "mm/memremap_pages:
convert to 'struct range'"

Re: [PATCH v3] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Dan Williams]

On Mon, Sep 28, 2020 at 5:52 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> On Sat, 26 Sep 2020 19:17:20 -0300 Jason Gunthorpe <jgg@ziepe.ca> wrote:
>
> > On Sat, Sep 26, 2020 at 03:14:02PM +0300, Dan Carpenter wrote:
> > > The error handling code does this:
> > >
> > > err_free:
> > >     kfree(devmem);
> > >         ^^^^^^^^^^^^^
> > > err_release:
> > >     release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
> > >                            ^^^^^^^^
> > > The problem is that when we use "devmem->pagemap.range.start" the
> > > "devmem" pointer is either NULL or freed.
> > >
> > > Neither the allocation nor the call to request_free_mem_region() has to
> > > be done under the lock so I moved those to the start of the function.
> > >
> > > Fixes: 1f9c4bb986d9 ("mm/memremap_pages: convert to 'struct range'")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > > Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
> > > ---
> > > v2: The first version introduced a locking bug
> > > v3: Markus Elfring pointed out that the Fixes tag was wrong.  This bug
> > > was in the original commit and then fixed and then re-introduced.  I was
> > > quite bothered by how this bug lasted so long in the source code, but
> > > now we know.  As soon as it is introduced we fixed it.
> > >
> > > One problem with the kernel QC process is that I think everyone marks
> > > the bug as "old/dealt with" so it was only because I was added a new
> > > check for resource leaks that it was found when it was re-introduced.
> > >
> > >  lib/test_hmm.c | 44 ++++++++++++++++++++++----------------------
> > >  1 file changed, 22 insertions(+), 22 deletions(-)
> >
> > Hi Andrew,
> >
> > I don't have have any hmm related patches this cycle, can you take
> > this into your tree?
> >
> > Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
>
> Thanks.
>
> It's actually a fix against Dan Williams' -mm patch "mm/memremap_pages:
> convert to 'struct range'"

Yes, sorry, for the fix:

Acked-by: Dan Williams <dan.j.williams@intel.com>

Re: [PATCH] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Ralph Campbell]

On 9/22/20 1:12 AM, Dan Carpenter wrote:
> The error handling code does this:
> 
> err_free:
> 	kfree(devmem);
>          ^^^^^^^^^^^^^
> err_release:
> 	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
>                             ^^^^^^^^
> The problem is that when we use "devmem->pagemap.range.start" the
> "devmem" pointer is either NULL or freed.
> 
> Neither the allocation nor the call to request_free_mem_region() has to
> be done under the lock so I moved those to the start of the function.
> 
> Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> It's weird that I didn't catch the use after free when this code was
> merged in May...  My bad.  Not sure what happened there.  How I found
> this was that I have been reviewing release_mem_region() leaks and the
> NULL dereference path is a leak.
> 

Thanks for fixing this. I missed it too. :-)

>   lib/test_hmm.c | 47 ++++++++++++++++++++++++-----------------------
>   1 file changed, 24 insertions(+), 23 deletions(-)
> 
> diff --git a/lib/test_hmm.c b/lib/test_hmm.c
> index c8133f50160b..0503c78cb322 100644
> --- a/lib/test_hmm.c
> +++ b/lib/test_hmm.c
> @@ -459,6 +459,22 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
>   	unsigned long pfn_last;
>   	void *ptr;
>   
> +	devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
> +	if (!devmem)
> +		return -ENOMEM;
> +
> +	res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
> +				      "hmm_dmirror");
> +	if (IS_ERR(res))
> +		goto err_devmem;
> +
> +	devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
> +	devmem->pagemap.range.start = res->start;
> +	devmem->pagemap.range.end = res->end;
> +	devmem->pagemap.nr_range = 1;
> +	devmem->pagemap.ops = &dmirror_devmem_ops;
> +	devmem->pagemap.owner = mdevice;
> +
>   	mutex_lock(&mdevice->devmem_lock);
>   
>   	if (mdevice->devmem_count == mdevice->devmem_capacity) {
> @@ -471,30 +487,16 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
>   				sizeof(new_chunks[0]) * new_capacity,
>   				GFP_KERNEL);
>   		if (!new_chunks)

Need to call mutex_unlock(&mdevice->devmem_lock).
In fact, why not make this goto err_unlock and add
err_unlock: mutex_unlock() before the err_release:.

> -			goto err;
> +			goto err_release;>   		mdevice->devmem_capacity = new_capacity;
>   		mdevice->devmem_chunks = new_chunks;
>   	}
>   
> -	res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
> -					"hmm_dmirror");
> -	if (IS_ERR(res))
> -		goto err;
> -
> -	devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
> -	if (!devmem)
> -		goto err_release;
> -
> -	devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
> -	devmem->pagemap.range.start = res->start;
> -	devmem->pagemap.range.end = res->end;
> -	devmem->pagemap.nr_range = 1;
> -	devmem->pagemap.ops = &dmirror_devmem_ops;
> -	devmem->pagemap.owner = mdevice;
> -
>   	ptr = memremap_pages(&devmem->pagemap, numa_node_id());
> -	if (IS_ERR(ptr))
> -		goto err_free;
> +	if (IS_ERR(ptr)) {
> +		mutex_unlock(&mdevice->devmem_lock);
> +		goto err_release;
> +	}

This could then be just goto err_unlock.

>   	devmem->mdevice = mdevice;
>   	pfn_first = devmem->pagemap.range.start >> PAGE_SHIFT;
> @@ -525,12 +527,11 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
>   
>   	return true;
>   
> -err_free:
> -	kfree(devmem);
>   err_release:
>   	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
> -err:
> -	mutex_unlock(&mdevice->devmem_lock);
> +err_devmem:
> +	kfree(devmem);
> +
>   	return false;
>   }
>   

With the suggested change, you can add
Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>

[PATCH v2] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Dan Carpenter]

The error handling code does this:

err_free:
	kfree(devmem);
        ^^^^^^^^^^^^^
err_release:
	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
                           ^^^^^^^^
The problem is that when we use "devmem->pagemap.range.start" the
"devmem" pointer is either NULL or freed.

Neither the allocation nor the call to request_free_mem_region() has to
be done under the lock so I moved those to the start of the function.

Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2:  The first version introduced a locking bug

 lib/test_hmm.c | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/lib/test_hmm.c b/lib/test_hmm.c
index c8133f50160b..e151a7f10519 100644
--- a/lib/test_hmm.c
+++ b/lib/test_hmm.c
@@ -459,6 +459,22 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
 	unsigned long pfn_last;
 	void *ptr;
 
+	devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
+	if (!devmem)
+		return -ENOMEM;
+
+	res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
+				      "hmm_dmirror");
+	if (IS_ERR(res))
+		goto err_devmem;
+
+	devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
+	devmem->pagemap.range.start = res->start;
+	devmem->pagemap.range.end = res->end;
+	devmem->pagemap.nr_range = 1;
+	devmem->pagemap.ops = &dmirror_devmem_ops;
+	devmem->pagemap.owner = mdevice;
+
 	mutex_lock(&mdevice->devmem_lock);
 
 	if (mdevice->devmem_count == mdevice->devmem_capacity) {
@@ -471,30 +487,14 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
 				sizeof(new_chunks[0]) * new_capacity,
 				GFP_KERNEL);
 		if (!new_chunks)
-			goto err;
+			goto err_release;
 		mdevice->devmem_capacity = new_capacity;
 		mdevice->devmem_chunks = new_chunks;
 	}
 
-	res = request_free_mem_region(&iomem_resource, DEVMEM_CHUNK_SIZE,
-					"hmm_dmirror");
-	if (IS_ERR(res))
-		goto err;
-
-	devmem = kzalloc(sizeof(*devmem), GFP_KERNEL);
-	if (!devmem)
-		goto err_release;
-
-	devmem->pagemap.type = MEMORY_DEVICE_PRIVATE;
-	devmem->pagemap.range.start = res->start;
-	devmem->pagemap.range.end = res->end;
-	devmem->pagemap.nr_range = 1;
-	devmem->pagemap.ops = &dmirror_devmem_ops;
-	devmem->pagemap.owner = mdevice;
-
 	ptr = memremap_pages(&devmem->pagemap, numa_node_id());
 	if (IS_ERR(ptr))
-		goto err_free;
+		goto err_release;
 
 	devmem->mdevice = mdevice;
 	pfn_first = devmem->pagemap.range.start >> PAGE_SHIFT;
@@ -525,12 +525,12 @@ static bool dmirror_allocate_chunk(struct dmirror_device *mdevice,
 
 	return true;
 
-err_free:
-	kfree(devmem);
 err_release:
-	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
-err:
 	mutex_unlock(&mdevice->devmem_lock);
+	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
+err_devmem:
+	kfree(devmem);
+
 	return false;
 }
 
-- 
2.28.0

Re: [PATCH v2] mm/hmm/test: use after free in dmirror_allocate_chunk()

[Ralph Campbell]

On 9/24/20 6:46 AM, Dan Carpenter wrote:
> The error handling code does this:
> 
> err_free:
> 	kfree(devmem);
>          ^^^^^^^^^^^^^
> err_release:
> 	release_mem_region(devmem->pagemap.range.start, range_len(&devmem->pagemap.range));
>                             ^^^^^^^^
> The problem is that when we use "devmem->pagemap.range.start" the
> "devmem" pointer is either NULL or freed.
> 
> Neither the allocation nor the call to request_free_mem_region() has to
> be done under the lock so I moved those to the start of the function.
> 
> Fixes: b2ef9f5a5cb3 ("mm/hmm/test: add selftest driver for HMM")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Looks good.
Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>