From patchwork Mon Aug 12 17:16:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Will Deacon X-Patchwork-Id: 13760873 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2E68C52D7C for ; Mon, 12 Aug 2024 17:16:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 836CC6B0095; Mon, 12 Aug 2024 13:16:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7E62C6B0098; Mon, 12 Aug 2024 13:16:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6AD1A6B009A; Mon, 12 Aug 2024 13:16:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 4DBB96B0095 for ; Mon, 12 Aug 2024 13:16:17 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id BC6FA12030F for ; Mon, 12 Aug 2024 17:16:16 +0000 (UTC) X-FDA: 82444246752.24.A0B374F Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf25.hostedemail.com (Postfix) with ESMTP id D4493A0002 for ; Mon, 12 Aug 2024 17:16:14 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=fGZo123c; spf=pass (imf25.hostedemail.com: domain of will@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=will@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723482940; a=rsa-sha256; cv=none; b=hnUHp/anpoyoSN4sEO2FC0oIrV1tbikKms7nE/eaqKgQHRGt2TInEa0yNBvBrpVcFNi2Pu lmh9QmwYrrKJ8/dq5KaX3OxDCb21tr7O54lwlNXHRT+sBmz8flN7TFExpN6ycaLn18p0Wx z5ay7TBHsM0mnMozOqUFaLjFPkQLyDg= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=fGZo123c; spf=pass (imf25.hostedemail.com: domain of will@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=will@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723482940; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=U01SFvbBeDflr+5Qa285+TfLksQv2pskftfmfy5wfas=; b=rBrLOlsr5XHELI/G7fhXxU+1ckPT7Jy5Y0KCuAVrPwBxSw21zbbFbx1hS762UAMJboxzMV zYqnCpqQEHufHgv9Wwut8at91CdXecSWnwyqBuK8CJaauV1dgHF/EFbrFKyTy0Be//MyJv lA21WbnNp+slF5PTBIy8nzwS07VWB3A= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 9B0D6611FB; Mon, 12 Aug 2024 17:16:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 21CD3C32782; Mon, 12 Aug 2024 17:16:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1723482972; bh=2Ciirbb9iWd+rYCPUCMqEQdLHIveLhDU9YkDnTq0r3o=; h=From:To:Cc:Subject:Date:From; b=fGZo123c+c3lvg/rJ/jyR+u9sLZ3CkM/reSd7HcG3mzUjuUu/PaYkUO8c6HiT6bSO 0jM0rM3NlTf9HgOddKPVh7PnAnZWZo0bnrJrm3T2Tt2bq1aIGz7QA5O6oZ5RzULJ7a Il9nQDhti1Z7Rk+prE28LQe7/T8j0+8dPRNqPM1S/a6xVIl8uFCr7Rq6ZhIWEd4boV 8O1tuTHlMDKL++q1TVniYEzqiKNEpkp48E3C8nCIQ+MSXmBS8XsCNVXyksXVQ8JxR+ HzVeLXIIkfW64xuDP3CQ3KCNARxY61SGchn01yKB+490j9iGgdYWaMJVG6e75kjl9r b6rMkcQjQm15w== From: Will Deacon To: linux-mm@kvack.org Cc: linux-kernel@vger.kernel.org, Will Deacon , Zhaoyang Huang , "Hailong . Liu" , Uladzislau Rezki , Baoquan He , Christoph Hellwig , Lorenzo Stoakes , Thomas Gleixner , Andrew Morton , stable@vger.kernel.org Subject: [PATCH] mm: vmalloc: Ensure vmap_block is initialised before adding to queue Date: Mon, 12 Aug 2024 18:16:06 +0100 Message-Id: <20240812171606.17486-1-will@kernel.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Stat-Signature: wxnfjmcb5toa6ae5i3uyuidwi7fyodzu X-Rspamd-Queue-Id: D4493A0002 X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1723482974-984311 X-HE-Meta: U2FsdGVkX1/+GC4moHuItfnlInFJFL+TNLSp5XdysAIHt8SPwjtliqNmTM8UZ1zJFoB15ONGWagyJwaNGUZblogonsN1CvEQBTLgY4nvs38ZTxi+76giHHBuZwJEBZNvHWUYENpAkSLaJIpWkidEzEjwzgy/X5ms3jXLbmE9OuwOu64wIMRXDiU2bENn0UzZ5RtWU23rqptdZi9z7rgc44S+Oi1TsXQyDG+UA7DsU8g53T7BJnm3/FASL846Sv+/5MPYtaWXh5DzDLlhGB/ndMV+xzyEy0Blw1f/3Wn9nI1vCgLh/Fg8FJxTtirOxXCArWGODROsB6lsG9+3hpCANB3owH0nkgguXzLK7f9B/plkZ5TsjOX0pTGA5Q1DU50kHn2qdb9KtUD8+FBcs9yM9uxMzLryD1QnRtyU6/e3GrdqWKjzNGelvNqPJL3oqnbodp9DAQ2BYZumBf+MsFwB4AtvygUoB8aL1BDVXFZc9xcbiCk8NKIYepzZmQuC2+Ggg7VrMoxg4qDM59XnhZZUmsstV4zIy8J9fpr0h6BVuihaYYaFCcQqh2ju3ztSw++eRuMVFUAsZ3AF4eukVJuQSu3YfKLiqaQLar9wsLQpB5ZSdmw0rdr48CC5DXO3bgP63Q1VPsBLDbQX88XQQQab8cw5Yc7/tXjTblW2KQm2b9wifoZzYLlG3XwV5GlZZxKfHQ8BdFFgQVX22ZNP7DYakalhjW2Y7kYXy04GG+t9uUyXjrvVdILxDowaLumyLQiZLlGBC6+BUIaDauU/yX7Sm1ebzjIRiAy1u65forPjBfFbgXGxE7Cmvs54fSUGakjIFgiqwBQAWT6vXmp/9KfdROvcOADj/Nz6ACfYxI/tLCr7Ob5V0Wey9w6qu6Jcf5IDKBynrPBdRPQJ54K2ZpT5MvzkJgyxDiopijzsb76VjK4EhCyAgosfNJUF35hE6476ayQMFIzTvLe4SyWh+aY oMhFvpa0 Z5p5p3Jcvtw1GFdpi/YpnARIGsRRIJZDMh/1EktgV3LBFggdXhUTj16B9kFAQ4VaeL535H6M7WIqhJ/NPemwkQR1Eh7p4zm2ie6bY+4bw0STkFOVAKJ3B7Pr7AS0cMrjU0G1hp1gEv3+Mj86mjsYUrpNRuFQL4P7aPVbI3EApr2arExbgLoyASjTpobqahPxshuaZom+ARDssaMQCU59fNFt3DWQhWQX06CcP2J7BkW/CaxaVumkXoYc6JLTc8n1nf9snpL40VYR26H/oPXU2dTZwl2eiaKpzXw8srNZZeNPutithqHLa+7FhMm3s+uIYkU7GCOBtoroZQWvf9gPym5fkvk58WAw1eWCG6jJDrFwn5KroGwC9n7X3xM+1efNh7qEkq8laCTT9fz/DR/pL70QgJvbFRj2QoFH0wq6Nyc5xeVpqvMVbEbAxcDC/s+1n/EyPTQ1WuIFFjgLb3l6Qclp3wViwAhdsmW0HDs28VtZwNtMBXyw4qQWyDChs27mgvh8iV8deIbDFjZR1tA4EEnS/Ju+IQKnepoGdo+hxKFKJ4xmWnm1gN7BlgwMWqhOxel+x X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Commit 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray. Cc: Zhaoyang Huang Cc: Hailong.Liu Cc: Uladzislau Rezki (Sony) Cc: Baoquan He Cc: Christoph Hellwig Cc: Lorenzo Stoakes Cc: Thomas Gleixner Cc: Andrew Morton Cc: Fixes: 8c61291fd850 ("mm: fix incorrect vbq reference in purge_fragmented_block") Signed-off-by: Will Deacon Reviewed-by: Baoquan He Reviewed-by: Uladzislau Rezki (Sony) --- I _think_ the insertion into the free list is ok, as the vb shouldn't be considered for purging if it's clean. It would be great if somebody more familiar with this code could confirm either way, however. mm/vmalloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 6b783baf12a1..64c0a2c8a73c 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -2626,6 +2626,7 @@ static void *new_vmap_block(unsigned int order, gfp_t gfp_mask) vb->dirty_max = 0; bitmap_set(vb->used_map, 0, (1UL << order)); INIT_LIST_HEAD(&vb->free_list); + vb->cpu = raw_smp_processor_id(); xa = addr_to_vb_xa(va->va_start); vb_idx = addr_to_vb_idx(va->va_start); @@ -2642,7 +2643,6 @@ static void *new_vmap_block(unsigned int order, gfp_t gfp_mask) * integrity together with list_for_each_rcu from read * side. */ - vb->cpu = raw_smp_processor_id(); vbq = per_cpu_ptr(&vmap_block_queue, vb->cpu); spin_lock(&vbq->lock); list_add_tail_rcu(&vb->free_list, &vbq->free);