Revision - 73223e4 - mm/mempolicy: fix use after free when calling get_mempolicy

Revision 73223e4e2e3867ebf033a5a8eb2e5df0158ccc99 authored by zhong jiang on 18 August 2017, 22:16:24 UTC, committed by Linus Torvalds on 18 August 2017, 22:32:02 UTC

mm/mempolicy: fix use after free when calling get_mempolicy

I hit a use after free issue when executing trinity and repoduced it
with KASAN enabled.  The related call trace is as follows.

  BUG: KASan: use after free in SyS_get_mempolicy+0x3c8/0x960 at addr ffff8801f582d766
  Read of size 2 by task syz-executor1/798

  INFO: Allocated in mpol_new.part.2+0x74/0x160 age=3 cpu=1 pid=799
     __slab_alloc+0x768/0x970
     kmem_cache_alloc+0x2e7/0x450
     mpol_new.part.2+0x74/0x160
     mpol_new+0x66/0x80
     SyS_mbind+0x267/0x9f0
     system_call_fastpath+0x16/0x1b
  INFO: Freed in __mpol_put+0x2b/0x40 age=4 cpu=1 pid=799
     __slab_free+0x495/0x8e0
     kmem_cache_free+0x2f3/0x4c0
     __mpol_put+0x2b/0x40
     SyS_mbind+0x383/0x9f0
     system_call_fastpath+0x16/0x1b
  INFO: Slab 0xffffea0009cb8dc0 objects=23 used=8 fp=0xffff8801f582de40 flags=0x200000000004080
  INFO: Object 0xffff8801f582d760 @offset=5984 fp=0xffff8801f582d600

  Bytes b4 ffff8801f582d750: ae 01 ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
  Object ffff8801f582d760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
  Object ffff8801f582d770: 6b 6b 6b 6b 6b 6b 6b a5                          kkkkkkk.
  Redzone ffff8801f582d778: bb bb bb bb bb bb bb bb                          ........
  Padding ffff8801f582d8b8: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
  Memory state around the buggy address:
  ffff8801f582d600: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801f582d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  >ffff8801f582d700: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fc

!shared memory policy is not protected against parallel removal by other
thread which is normally protected by the mmap_sem.  do_get_mempolicy,
however, drops the lock midway while we can still access it later.

Early premature up_read is a historical artifact from times when
put_user was called in this path see https://lwn.net/Articles/124754/
but that is gone since 8bccd85ffbaf ("[PATCH] Implement sys_* do_*
layering in the memory policy layer.").  but when we have the the
current mempolicy ref count model.  The issue was introduced
accordingly.

Fix the issue by removing the premature release.

Link: http://lkml.kernel.org/r/1502950924-27521-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: <stable@vger.kernel.org>	[2.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 parent da094e4

Files
Changes

Permalinks

mixer_us16x08.h

#ifndef __USB_MIXER_US16X08_H
#define __USB_MIXER_US16X08_H

#define SND_US16X08_MAX_CHANNELS 16

/* define some bias, cause some alsa-mixers wont work with
 * negative ranges or if mixer-min != 0
 */
#define SND_US16X08_NO_BIAS 0
#define SND_US16X08_FADER_BIAS 127
#define SND_US16X08_EQ_HIGHFREQ_BIAS 0x20
#define SND_US16X08_COMP_THRESHOLD_BIAS 0x20
#define SND_US16X08_COMP_ATTACK_BIAS 2
#define SND_US16X08_COMP_RELEASE_BIAS 1

/* get macro for components of kcontrol private_value */
#define SND_US16X08_KCBIAS(x) (((x)->private_value >> 24) & 0xff)
#define SND_US16X08_KCSTEP(x) (((x)->private_value >> 16) & 0xff)
#define SND_US16X08_KCMIN(x) (((x)->private_value >> 8) & 0xff)
#define SND_US16X08_KCMAX(x) (((x)->private_value >> 0) & 0xff)
/* set macro for kcontrol private_value */
#define SND_US16X08_KCSET(bias, step, min, max)  \
	(((bias) << 24) | ((step) << 16) | ((min) << 8) | (max))

/* the URB request/type to control Tascam mixers */
#define SND_US16X08_URB_REQUEST 0x1D
#define SND_US16X08_URB_REQUESTTYPE 0x40

/* the URB params to retrieve meter ranges */
#define SND_US16X08_URB_METER_REQUEST       0x1e
#define SND_US16X08_URB_METER_REQUESTTYPE   0xc0

#define MUA0(x, y) ((x)[(y) * 10 + 4])
#define MUA1(x, y) ((x)[(y) * 10 + 5])
#define MUA2(x, y) ((x)[(y) * 10 + 6])
#define MUB0(x, y) ((x)[(y) * 10 + 7])
#define MUB1(x, y) ((x)[(y) * 10 + 8])
#define MUB2(x, y) ((x)[(y) * 10 + 9])
#define MUC0(x, y) ((x)[(y) * 10 + 10])
#define MUC1(x, y) ((x)[(y) * 10 + 11])
#define MUC2(x, y) ((x)[(y) * 10 + 12])
#define MUC3(x, y) ((x)[(y) * 10 + 13])

/* Common Channel control IDs */
#define SND_US16X08_ID_BYPASS 0x45
#define SND_US16X08_ID_BUSS_OUT 0x44
#define SND_US16X08_ID_PHASE 0x85
#define SND_US16X08_ID_MUTE 0x83
#define SND_US16X08_ID_FADER 0x81
#define SND_US16X08_ID_PAN 0x82
#define SND_US16X08_ID_METER 0xB1

#define SND_US16X08_ID_EQ_BAND_COUNT 4
#define SND_US16X08_ID_EQ_PARAM_COUNT 4

/* EQ level IDs */
#define SND_US16X08_ID_EQLOWLEVEL 0x01
#define SND_US16X08_ID_EQLOWMIDLEVEL 0x02
#define SND_US16X08_ID_EQHIGHMIDLEVEL 0x03
#define SND_US16X08_ID_EQHIGHLEVEL 0x04

/* EQ frequence IDs */
#define SND_US16X08_ID_EQLOWFREQ 0x11
#define SND_US16X08_ID_EQLOWMIDFREQ 0x12
#define SND_US16X08_ID_EQHIGHMIDFREQ 0x13
#define SND_US16X08_ID_EQHIGHFREQ 0x14

/* EQ width IDs */
#define SND_US16X08_ID_EQLOWMIDWIDTH 0x22
#define SND_US16X08_ID_EQHIGHMIDWIDTH 0x23

#define SND_US16X08_ID_EQENABLE 0x30

#define EQ_STORE_BAND_IDX(x) ((x) & 0xf)
#define EQ_STORE_PARAM_IDX(x) (((x) & 0xf0) >> 4)

#define SND_US16X08_ID_ROUTE 0x00

/* Compressor Ids */
#define SND_US16X08_ID_COMP_BASE	0x32
#define SND_US16X08_ID_COMP_THRESHOLD	SND_US16X08_ID_COMP_BASE
#define SND_US16X08_ID_COMP_RATIO	(SND_US16X08_ID_COMP_BASE + 1)
#define SND_US16X08_ID_COMP_ATTACK	(SND_US16X08_ID_COMP_BASE + 2)
#define SND_US16X08_ID_COMP_RELEASE	(SND_US16X08_ID_COMP_BASE + 3)
#define SND_US16X08_ID_COMP_GAIN	(SND_US16X08_ID_COMP_BASE + 4)
#define SND_US16X08_ID_COMP_SWITCH	(SND_US16X08_ID_COMP_BASE + 5)
#define SND_US16X08_ID_COMP_COUNT	6

#define COMP_STORE_IDX(x) ((x) - SND_US16X08_ID_COMP_BASE)

struct snd_us16x08_eq_store {
	u8 val[SND_US16X08_ID_EQ_BAND_COUNT][SND_US16X08_ID_EQ_PARAM_COUNT]
		[SND_US16X08_MAX_CHANNELS];
};

struct snd_us16x08_comp_store {
	u8 val[SND_US16X08_ID_COMP_COUNT][SND_US16X08_MAX_CHANNELS];
};

struct snd_us16x08_meter_store {
	int meter_level[SND_US16X08_MAX_CHANNELS];
	int master_level[2]; /* level of meter for master output */
	int comp_index; /* round trip channel selector */
	int comp_active_index; /* channel select from user space mixer */
	int comp_level[16]; /* compressor reduction level */
	struct snd_us16x08_comp_store *comp_store;
};

struct snd_us16x08_control_params {
	struct snd_kcontrol_new *kcontrol_new;
	int control_id;
	int type;
	int num_channels;
	const char *name;
	int default_val;
};

#define snd_us16x08_switch_info snd_ctl_boolean_mono_info

int snd_us16x08_controls_create(struct usb_mixer_interface *mixer);
#endif /* __USB_MIXER_US16X08_H */

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...