mm,hwpoison: Fix use-after-free in memory_failure()
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4LE22 CVE: NA -------------------------------- BUG: KASAN: use-after-free in __mutex_lock.isra.1+0x77c/0x860 Read of size 4 at addr ffff8000d8382040 by task syz-executor658/454 CPU: 3 PID: 454 Comm: syz-executor658 Not tainted 4.19.90+ #8 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3f0 show_stack+0x28/0x38 dump_stack+0x170/0x1dc print_address_description+0x68/0x2c8 kasan_report+0x130/0x2e8 __asan_report_load4_noabort+0x30/0x40 __mutex_lock.isra.1+0x77c/0x860 __mutex_lock_slowpath+0x24/0x30 mutex_lock+0x4c/0x58 memory_failure+0x1a8/0xf00 do_madvise+0x8bc/0x12b0 __arm64_sys_madvise+0x74/0x218 el0_svc_common+0x134/0x570 el0_svc_handler+0x190/0x260 el0_svc+0x10/0x218 Allocated by task 423: kasan_kmalloc+0xdc/0x190 kasan_slab_alloc+0x14/0x20 kmem_cache_alloc_node+0xec/0x2a0 copy_process.isra.7.part.8+0x117c/0x58f0 _do_fork+0x188/0x8f0 __arm64_sys_clone+0xb0/0x108 el0_svc_common+0x134/0x570 el0_svc_handler+0x190/0x260 el0_svc+0x10/0x218 Freed by task 19: __kasan_slab_free+0x120/0x228 kasan_slab_free+0x10/0x18 kmem_cache_free+0x1b8/0x270 free_task+0xb8/0xe0 __put_task_struct+0x248/0x318 delayed_put_task_struct+0x58/0x210 rcu_nocb_kthread+0x2b0/0x508 kthread+0x2c8/0x348 ret_from_fork+0x10/0x18 After commit 02d80b17 ("mm/memory-failure: use a mutex to avoid memory_failure() races"), all the error paths in memory_failure() need unlock mf_mutx, or the above use-after-free occurred, fix the missing one if try_to_split_thp_page() fails. Fixes: a668355a ("mm,hwpoison: unify THP handling for hard and soft offline") Signed-off-by: NMa Wupeng <mawupeng1@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Showing
想要评论请 注册 或 登录