From patchwork Thu Aug 18 13:00:14 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Miaohe Lin <linmiaohe@huawei.com>
X-Patchwork-Id: 12948088
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 01CF2C00140
	for <linux-mm@archiver.kernel.org>; Thu, 18 Aug 2022 22:29:21 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 7D7238D0003; Thu, 18 Aug 2022 18:29:21 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 786DE8D0002; Thu, 18 Aug 2022 18:29:21 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6507A8D0003; Thu, 18 Aug 2022 18:29:21 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 563E18D0002
	for <linux-mm@kvack.org>; Thu, 18 Aug 2022 18:29:21 -0400 (EDT)
Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 3506541AF5
	for <linux-mm@kvack.org>; Thu, 18 Aug 2022 22:29:21 +0000 (UTC)
X-FDA: 79814155722.13.D380865
Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255])
	by imf31.hostedemail.com (Postfix) with ESMTP id 0616D237E0
	for <linux-mm@kvack.org>; Thu, 18 Aug 2022 22:04:47 +0000 (UTC)
Received: from canpemm500002.china.huawei.com (unknown [172.30.72.57])
	by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4M7lKD4xMjz1N7Mc;
	Thu, 18 Aug 2022 20:57:20 +0800 (CST)
Received: from huawei.com (10.175.124.27) by canpemm500002.china.huawei.com
 (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 18 Aug
 2022 21:00:42 +0800
From: Miaohe Lin <linmiaohe@huawei.com>
To: <akpm@linux-foundation.org>, <naoya.horiguchi@nec.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
	<linmiaohe@huawei.com>
Subject: [PATCH 4/6] mm,
 hwpoison: fix possible use-after-free in mf_dax_kill_procs()
Date: Thu, 18 Aug 2022 21:00:14 +0800
Message-ID: <20220818130016.45313-5-linmiaohe@huawei.com>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20220818130016.45313-1-linmiaohe@huawei.com>
References: <20220818130016.45313-1-linmiaohe@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.124.27]
X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To
 canpemm500002.china.huawei.com (7.192.104.244)
X-CFilter-Loop: Reflected
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1660860289;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=z76c0M26DZTjWALqkyWEGe8S3IDPi6PA2sajD12nn7M=;
	b=3I6LFlDZcRmgKPHA+MScz9FN8S7RMeMP9rWnvJUbYqAj4AioNGUuoYIUCE3GusG6xsbFEK
	2GDx3lNtINZBHSWdc2BQkspnRH2GJigv52c4BaH4JTfxtGQk7lE8K/QumRVcrkP0pE9o2w
	Glt8q+dOj3E7oCFBEUpZ9dLBW4fzkKA=
ARC-Authentication-Results: i=1;
	imf31.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf31.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.255 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660860289; a=rsa-sha256;
	cv=none;
	b=fpe3Fdbbd1+t/ucCiNsJMTkX/zXS1Qlay6PmcnuT08r9clOEWLJRjhXgSffu2N7qQGzfQT
	/zhyGu6yNjGc4q25mdx2TRweEn08f3h6x7IahzkXJgNTgyysDImuwbrqxm3mPyuA/zhQW1
	su+i52bFWz4HI7W9Sr4Qv2S4nEuEQyM=
X-Stat-Signature: 7f73jzegwykwytha89twp3bgos5iukct
X-Rspam-User: 
Authentication-Results: imf31.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf31.hostedemail.com: domain of linmiaohe@huawei.com designates
 45.249.212.255 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com
X-Rspamd-Server: rspam12
X-Rspamd-Queue-Id: 0616D237E0
X-HE-Tag: 1660860287-370307
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

After kill_procs(), tk will be freed without being removed from the to_kill
list. In the next iteration, the freed list entry in the to_kill list will
be accessed, thus leading to use-after-free issue. Fix it by reinitializing
the to_kill list after unmap_and_kill().

Fixes: c36e20249571 ("mm: introduce mf_dax_kill_procs() for fsdax case")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
---
 mm/memory-failure.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 7023c3d81273..a2f4e8b00a26 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1658,6 +1658,8 @@ int mf_dax_kill_procs(struct address_space *mapping, pgoff_t index,
 		collect_procs_fsdax(page, mapping, index, &to_kill);
 		unmap_and_kill(&to_kill, page_to_pfn(page), mapping,
 				index, mf_flags);
+		/* Reinitialize to_kill list for later resuing. */
+		INIT_LIST_HEAD(&to_kill);
 unlock:
 		dax_unlock_mapping_entry(mapping, index, cookie);
 	}