From patchwork Mon Mar 12 14:01:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 131381 Delivered-To: patch@linaro.org Received: by 10.46.84.17 with SMTP id i17csp778802ljb; Mon, 12 Mar 2018 07:01:22 -0700 (PDT) X-Google-Smtp-Source: AG47ELu+8TfiFzEfT2SXJTYs8RIOBh/SJKrVGpX4LQZN81FSxja6egoVgnDnRO4r5cfXiLcR+INE X-Received: by 2002:a17:902:6984:: with SMTP id l4-v6mr4250744plk.61.1520863282522; Mon, 12 Mar 2018 07:01:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520863282; cv=none; d=google.com; s=arc-20160816; b=VlGknNlz5oEVcYTmdsrPUtZx+CN7SUuLZmIA1z/7rlRnAM1z2lRZqguu3s2zh2D7vE YEZ6ganSWxwUsj9WgW4N0SC8ePEfGgEjLU/WkOdTaurq6G+4z3XZix+vjUAKZbWF3KnF rZbv9qL09gylznt+nZBk8YMKn+cBpW4K4sANQhobwAWw1pU03MhG5sb624SEG4aiARIO MwNvwItGLMgS52nx8bDN/HjZhNozThj/MAXelhT+jU1AGpAfC8ahGUBMfsT48hKXqwEe 704KdR+xvGFch5YaaI03fug5+QKO7g3gChJ1PvfMrQ1Bx0K+/jeAT0JEPdh3wgJQ9lfz TZ2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=u1MP0YRaSCoqHGexwHZkqtMa0OriPXvE+qWc+AjvHCo=; b=JcSMSqsnKbrSA9BKW5Pdgf60kgjB9qZzUkZoPNxrG5r7wgdQXAD64EhANT9UHP94Xo seOuu+YTDRw/xjvH1Jna99OkYpdp3/H4deqX4EG1jwLBEeT3GreR0C7s3Xd8V8j6sGLu NORoOYXFalTdwmudewY/PBe21J2q6SH3gPc2j7HALruXmRc6BwiQtcmVSBH4D5QdosZl h1QvNGt5v5ApfWnhLogX+jiNwMahexZ9R4CMNV/fKlbGi3Es9xhrTYJfPwq1vb3xhfOj obz7iCyLK/ppSTIQD7g62/XNl8a7/5OGqr5YuJxiNN2z7o2CNSBkBKR68UbfYSPFCsO6 Go0A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j14si5658493pfh.405.2018.03.12.07.01.22; Mon, 12 Mar 2018 07:01:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751678AbeCLOBQ (ORCPT + 28 others); Mon, 12 Mar 2018 10:01:16 -0400 Received: from foss.arm.com ([217.140.101.70]:54396 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932279AbeCLOBN (ORCPT ); Mon, 12 Mar 2018 10:01:13 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B2D3B1596; Mon, 12 Mar 2018 07:01:12 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 1549C3F24A; Mon, 12 Mar 2018 07:01:10 -0700 (PDT) From: Mark Rutland To: linux-kernel@vger.kernel.org Cc: Mark Rutland , Andrew Morton , Ingo Molnar , Mathieu Desnoyers , Michal Hocko , Peter Zijlstra , Rik van Riel , Will Deacon Subject: [PATCHv2] Detect early free of a live mm Date: Mon, 12 Mar 2018 14:01:03 +0000 Message-Id: <20180312140103.19235-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org KASAN splats indicate that in some cases we free a live mm, then continue to access it, with potentially disastrous results. This is likely due to a mismatched mmdrop() somewhere in the kernel, but so far the culprit remains elusive. Let's have __mmdrop() verify that the mm isn't live for the current task, similar to the existing check for init_mm. This way, we can catch this class of issue earlier, and without requiring KASAN. Currently, idle_task_exit() leaves active_mm stale after it switches to init_mm. This isn't harmful, but will trigger the new assertions, so we must adjust idle_task_exit() to update active_mm. Signed-off-by: Mark Rutland Cc: Andrew Morton Cc: Ingo Molnar Cc: Mathieu Desnoyers Cc: Michal Hocko Cc: Peter Zijlstra Cc: Rik van Riel Cc: Will Deacon --- kernel/fork.c | 2 ++ kernel/sched/core.c | 1 + 2 files changed, 3 insertions(+) Since v1 [1]: * Use WARN_ON_ONCE() * Avoid spurious warning in idle_task_exit() Mark. [1] https://lkml.kernel.org/r/20180228121458.2230-1-mark.rutland@arm.com -- 2.11.0 diff --git a/kernel/fork.c b/kernel/fork.c index e5d9d405ae4e..ac94ce894219 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -595,6 +595,8 @@ static void check_mm(struct mm_struct *mm) void __mmdrop(struct mm_struct *mm) { BUG_ON(mm == &init_mm); + WARN_ON_ONCE(mm == current->mm); + WARN_ON_ONCE(mm == current->active_mm); mm_free_pgd(mm); destroy_context(mm); hmm_mm_destroy(mm); diff --git a/kernel/sched/core.c b/kernel/sched/core.c index e7c535eee0a6..0ef844abc2da 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -5506,6 +5506,7 @@ void idle_task_exit(void) if (mm != &init_mm) { switch_mm(mm, &init_mm, current); + current->active_mm = &init_mm; finish_arch_post_lock_switch(); } mmdrop(mm);