From: Chintan Pandya Date: Fri, 8 Jun 2018 00:06:50 +0000 (-0700) Subject: mm: vmalloc: avoid racy handling of debugobjects in vunmap X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=f3c01d2f3ade6790db67f80fef60df84424f8964;p=openwrt%2Fstaging%2Fblogic.git mm: vmalloc: avoid racy handling of debugobjects in vunmap Currently, __vunmap flow is, 1) Release the VM area 2) Free the debug objects corresponding to that vm area. This leave some race window open. 1) Release the VM area 1.5) Some other client gets the same vm area 1.6) This client allocates new debug objects on the same vm area 2) Free the debug objects corresponding to this vm area. Here, we actually free 'other' client's debug objects. Fix this by freeing the debug objects first and then releasing the VM area. Link: http://lkml.kernel.org/r/1523961828-9485-2-git-send-email-cpandya@codeaurora.org Signed-off-by: Chintan Pandya Reviewed-by: Andrew Morton Cc: Ard Biesheuvel Cc: Byungchul Park Cc: Catalin Marinas Cc: Florian Fainelli Cc: Johannes Weiner Cc: Laura Abbott Cc: Vlastimil Babka Cc: Wei Yang Cc: Yisheng Xie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 12bd82e6554e..4df66e1abeb1 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -1504,7 +1504,7 @@ static void __vunmap(const void *addr, int deallocate_pages) addr)) return; - area = remove_vm_area(addr); + area = find_vmap_area((unsigned long)addr)->vm; if (unlikely(!area)) { WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n", addr); @@ -1514,6 +1514,7 @@ static void __vunmap(const void *addr, int deallocate_pages) debug_check_no_locks_freed(addr, get_vm_area_size(area)); debug_check_no_obj_freed(addr, get_vm_area_size(area)); + remove_vm_area(addr); if (deallocate_pages) { int i;