| Message ID | 9d9134359725a965627b7e8f2652069f86f1d1fa.1585233617.git.andreyknvl@google.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 67b3d3cca385507c4c8b6ad97b823415e038e3c8 |
| Headers | show |
| Series | kcov: collect coverage from usb soft interrupts | expand |
On Thu, Mar 26, 2020 at 3:44 PM Andrey Konovalov <andreyknvl@google.com> wrote: > > If vmalloc() fails in kcov_remote_start() we'll access remote->kcov > without holding kcov_remote_lock, so remote might potentially be freed > at that point. Cache kcov pointer in a local variable. > > Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> > --- > kernel/kcov.c | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/kernel/kcov.c b/kernel/kcov.c > index f6bd119c9419..cc5900ac2467 100644 > --- a/kernel/kcov.c > +++ b/kernel/kcov.c > @@ -748,6 +748,7 @@ static const struct file_operations kcov_fops = { > void kcov_remote_start(u64 handle) > { > struct kcov_remote *remote; > + struct kcov *kcov; > void *area; > struct task_struct *t; > unsigned int size; > @@ -774,16 +775,17 @@ void kcov_remote_start(u64 handle) > spin_unlock(&kcov_remote_lock); > return; > } > + kcov = remote->kcov; > /* Put in kcov_remote_stop(). */ > - kcov_get(remote->kcov); > - t->kcov = remote->kcov; > + kcov_get(kcov); > + t->kcov = kcov; > /* > * Read kcov fields before unlock to prevent races with > * KCOV_DISABLE / kcov_remote_reset(). > */ > - size = remote->kcov->remote_size; > - mode = remote->kcov->mode; > - sequence = remote->kcov->sequence; > + size = kcov->remote_size; > + mode = kcov->mode; > + sequence = kcov->sequence; > area = kcov_remote_area_get(size); > spin_unlock(&kcov_remote_lock); > > @@ -791,7 +793,7 @@ void kcov_remote_start(u64 handle) > area = vmalloc(size * sizeof(unsigned long)); > if (!area) { > t->kcov = NULL; > - kcov_put(remote->kcov); > + kcov_put(kcov); > return; > } > } > -- > 2.26.0.rc2.310.g2932bb562d-goog >
diff --git a/kernel/kcov.c b/kernel/kcov.c index f6bd119c9419..cc5900ac2467 100644 --- a/kernel/kcov.c +++ b/kernel/kcov.c @@ -748,6 +748,7 @@ static const struct file_operations kcov_fops = { void kcov_remote_start(u64 handle) { struct kcov_remote *remote; + struct kcov *kcov; void *area; struct task_struct *t; unsigned int size; @@ -774,16 +775,17 @@ void kcov_remote_start(u64 handle) spin_unlock(&kcov_remote_lock); return; } + kcov = remote->kcov; /* Put in kcov_remote_stop(). */ - kcov_get(remote->kcov); - t->kcov = remote->kcov; + kcov_get(kcov); + t->kcov = kcov; /* * Read kcov fields before unlock to prevent races with * KCOV_DISABLE / kcov_remote_reset(). */ - size = remote->kcov->remote_size; - mode = remote->kcov->mode; - sequence = remote->kcov->sequence; + size = kcov->remote_size; + mode = kcov->mode; + sequence = kcov->sequence; area = kcov_remote_area_get(size); spin_unlock(&kcov_remote_lock); @@ -791,7 +793,7 @@ void kcov_remote_start(u64 handle) area = vmalloc(size * sizeof(unsigned long)); if (!area) { t->kcov = NULL; - kcov_put(remote->kcov); + kcov_put(kcov); return; } }
If vmalloc() fails in kcov_remote_start() we'll access remote->kcov without holding kcov_remote_lock, so remote might potentially be freed at that point. Cache kcov pointer in a local variable. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- kernel/kcov.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)