On Mon, Mar 26, 2018 at 04:53:49PM +0530, Vinayak Menon wrote: > A crash is observed when kmemleak_scan accesses the > object->pointer, likely due to the following race. > > TASK A TASK B TASK C > kmemleak_write > (with "scan" and > NOT "scan=on") > kmemleak_scan() > create_object > kmem_cache_alloc fails > kmemleak_disable > kmemleak_do_cleanup > kmemleak_free_enabled = 0 > kfree > kmemleak_free bails out > (kmemleak_free_enabled is 0) > slub frees object->pointer > update_checksum > crash - object->pointer > freed (DEBUG_PAGEALLOC) > > kmemleak_do_cleanup waits for the scan thread to complete, but not for > direct call to kmemleak_scan via kmemleak_write. So add a wait for > kmemleak_scan completion before disabling kmemleak_free. > > Signed-off-by: Vinayak Menon <vinmenon@xxxxxxxxxxxxxx> It looks fine to me. Maybe Andrew can pick it up. Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx> Thanks.
