[PATCH openEuler-1.0-LTS] mm,hwpoison: Fix use-after-free in memory_failure() - Kernel

21 Feb 2022

From: Ma Wupeng mawupeng1@huawei.com
hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4LE22
CVE: NA
--------------------------------
BUG: KASAN: use-after-free in __mutex_lock.isra.1+0x77c/0x860
  Read of size 4 at addr ffff8000d8382040 by task syz-executor658/454
CPU: 3 PID: 454 Comm: syz-executor658 Not tainted 4.19.90+ #8
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   dump_backtrace+0x0/0x3f0
   show_stack+0x28/0x38
   dump_stack+0x170/0x1dc
   print_address_description+0x68/0x2c8
   kasan_report+0x130/0x2e8
   __asan_report_load4_noabort+0x30/0x40
   __mutex_lock.isra.1+0x77c/0x860
   __mutex_lock_slowpath+0x24/0x30
   mutex_lock+0x4c/0x58
   memory_failure+0x1a8/0xf00
   do_madvise+0x8bc/0x12b0
   __arm64_sys_madvise+0x74/0x218
   el0_svc_common+0x134/0x570
   el0_svc_handler+0x190/0x260
   el0_svc+0x10/0x218
Allocated by task 423:
   kasan_kmalloc+0xdc/0x190
   kasan_slab_alloc+0x14/0x20
   kmem_cache_alloc_node+0xec/0x2a0
   copy_process.isra.7.part.8+0x117c/0x58f0
   _do_fork+0x188/0x8f0
   __arm64_sys_clone+0xb0/0x108
   el0_svc_common+0x134/0x570
   el0_svc_handler+0x190/0x260
   el0_svc+0x10/0x218
Freed by task 19:
   __kasan_slab_free+0x120/0x228
   kasan_slab_free+0x10/0x18
   kmem_cache_free+0x1b8/0x270
   free_task+0xb8/0xe0
   __put_task_struct+0x248/0x318
   delayed_put_task_struct+0x58/0x210
   rcu_nocb_kthread+0x2b0/0x508
   kthread+0x2c8/0x348
    ret_from_fork+0x10/0x18
After commit 02d80b17ba49 ("mm/memory-failure: use a mutex to avoid
memory_failure() races"), all the error paths in memory_failure() need
unlock mf_mutx, or the above use-after-free occurred, fix the missing
one if try_to_split_thp_page() fails.
Fixes: a668355ac487 ("mm,hwpoison: unify THP handling for hard and soft offline")
Signed-off-by: Ma Wupeng mawupeng1@huawei.com
Reviewed-by: Kefeng Wang wangkefeng.wang@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 mm/memory-failure.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index cd3394dd70e16..578859c94866f 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1408,7 +1408,8 @@ int memory_failure(unsigned long pfn, int flags)
    if (PageTransHuge(hpage)) {
    	if (try_to_split_thp_page(p, "Memory Failure") < 0) {
    		action_result(pfn, MF_MSG_UNSPLIT_THP, MF_IGNORED);
-			return -EBUSY;
+			res = -EBUSY;
+			goto unlock_mutex;
    	}
    	VM_BUG_ON_PAGE(!page_count(p), p);
    }
-- 
2.25.1

    