+ kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2.patch added to -mm tree

Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> · Fri, 06 Dec 2019 16:24:25 -0800

The patch titled
     Subject: kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2
has been added to the -mm tree.  Its filename is
     kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Subject: kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2

- Fix error path in alloc_vmap_area.
- Remove wrong Reported-by: syzbot (The issue reported by bot is a different
  one)

Link: http://lkml.kernel.org/r/20191205095942.1761-1-aryabinin@xxxxxxxxxxxxx
Fixes: 3c5c3cfb9ef4 ("kasan: support backing vmalloc space with real shadow memory")
Signed-off-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx>
Cc: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Cc: Uladzislau Rezki (Sony) <urezki@xxxxxxxxx>
Cc: Daniel Axtens <dja@xxxxxxxxxx>
Cc: Alexander Potapenko <glider@xxxxxxxxxx>
Cc: Daniel Axtens <dja@xxxxxxxxxx>
Cc: Qian Cai <cai@xxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 mm/vmalloc.c |   54 +++++++++++++++++++++++++------------------------
 1 file changed, 28 insertions(+), 26 deletions(-)

--- a/mm/vmalloc.c~kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2
+++ a/mm/vmalloc.c
@@ -1062,6 +1062,26 @@ __alloc_vmap_area(unsigned long size, un
 }
 
 /*
+ * Free a region of KVA allocated by alloc_vmap_area
+ */
+static void free_vmap_area(struct vmap_area *va)
+{
+	/*
+	 * Remove from the busy tree/list.
+	 */
+	spin_lock(&vmap_area_lock);
+	unlink_va(va, &vmap_area_root);
+	spin_unlock(&vmap_area_lock);
+
+	/*
+	 * Insert/Merge it back to the free tree/list.
+	 */
+	spin_lock(&free_vmap_area_lock);
+	merge_or_add_vmap_area(va, &free_vmap_area_root, &free_vmap_area_list);
+	spin_unlock(&free_vmap_area_lock);
+}
+
+/*
  * Allocate a region of KVA of the specified size and alignment, within the
  * vstart and vend.
  */
@@ -1073,7 +1093,7 @@ static struct vmap_area *alloc_vmap_area
 	struct vmap_area *va, *pva;
 	unsigned long addr;
 	int purged = 0;
-	int ret = -EBUSY;
+	int ret;
 
 	BUG_ON(!size);
 	BUG_ON(offset_in_page(size));
@@ -1140,9 +1160,6 @@ retry:
 	va->va_end = addr + size;
 	va->vm = NULL;
 
-	ret = kasan_populate_vmalloc(addr, size);
-	if (ret)
-		goto out;
 
 	spin_lock(&vmap_area_lock);
 	insert_vmap_area(va, &vmap_area_root, &vmap_area_list);
@@ -1152,6 +1169,12 @@ retry:
 	BUG_ON(va->va_start < vstart);
 	BUG_ON(va->va_end > vend);
 
+	ret = kasan_populate_vmalloc(addr, size);
+	if (ret) {
+		free_vmap_area(va);
+		return ERR_PTR(ret);
+	}
+
 	return va;
 
 overflow:
@@ -1174,9 +1197,8 @@ overflow:
 		pr_warn("vmap allocation for size %lu failed: use vmalloc=<size> to increase size\n",
 			size);
 
-out:
 	kmem_cache_free(vmap_area_cachep, va);
-	return ERR_PTR(ret);
+	return ERR_PTR(-EBUSY);
 }
 
 int register_vmap_purge_notifier(struct notifier_block *nb)
@@ -1192,26 +1214,6 @@ int unregister_vmap_purge_notifier(struc
 EXPORT_SYMBOL_GPL(unregister_vmap_purge_notifier);
 
 /*
- * Free a region of KVA allocated by alloc_vmap_area
- */
-static void free_vmap_area(struct vmap_area *va)
-{
-	/*
-	 * Remove from the busy tree/list.
-	 */
-	spin_lock(&vmap_area_lock);
-	unlink_va(va, &vmap_area_root);
-	spin_unlock(&vmap_area_lock);
-
-	/*
-	 * Insert/Merge it back to the free tree/list.
-	 */
-	spin_lock(&free_vmap_area_lock);
-	merge_or_add_vmap_area(va, &free_vmap_area_root, &free_vmap_area_list);
-	spin_unlock(&free_vmap_area_lock);
-}
-
-/*
  * Clear the pagetable entries of a given vmap_area
  */
 static void unmap_vmap_area(struct vmap_area *va)
_

Patches currently in -mm which might be from aryabinin@xxxxxxxxxxxxx are

kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram.patch
kasan-fix-crashes-on-access-to-memory-mapped-by-vm_map_ram-v2.patch
kasan-dont-allocate-page-tables-in-kasan_release_vmalloc.patch







