From patchwork Wed Oct 18 10:29:52 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Liu Shixin <liushixin2@huawei.com>
X-Patchwork-Id: 13426732
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A6387CDB482
	for <linux-mm@archiver.kernel.org>; Wed, 18 Oct 2023 09:30:36 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B2A888D014A; Wed, 18 Oct 2023 05:30:28 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id A8D508D0150; Wed, 18 Oct 2023 05:30:28 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7CA818D014C; Wed, 18 Oct 2023 05:30:28 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 353438D014A
	for <linux-mm@kvack.org>; Wed, 18 Oct 2023 05:30:28 -0400 (EDT)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id EEAE31401C1
	for <linux-mm@kvack.org>; Wed, 18 Oct 2023 09:30:27 +0000 (UTC)
X-FDA: 81358061694.23.83B1DAB
Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187])
	by imf20.hostedemail.com (Postfix) with ESMTP id 0CA8A1C0013
	for <linux-mm@kvack.org>; Wed, 18 Oct 2023 09:30:24 +0000 (UTC)
Authentication-Results: imf20.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf20.hostedemail.com: domain of liushixin2@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=liushixin2@huawei.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1697621426;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=dWbK1w2G5Vt4nI74O+31C3o0eZG9HMj3UWfx2X0Hdbw=;
	b=nXDv1pK1eZ8iOuRPQh1Zqb6+YZ6tYvgx5k7iFxscMLRO5c2uJfDu2uHzHtSNzF200s+ey0
	yhg+7XVwl3qEwFaju5nLMYrapmZTXInbnKAB3rMN69G1V1TlQvdEnE3Ekjro3teCVNBSgT
	SBm4V+PX+jGMXD/uw087SZhalyE5XHI=
ARC-Authentication-Results: i=1;
	imf20.hostedemail.com;
	dkim=none;
	dmarc=pass (policy=quarantine) header.from=huawei.com;
	spf=pass (imf20.hostedemail.com: domain of liushixin2@huawei.com designates
 45.249.212.187 as permitted sender) smtp.mailfrom=liushixin2@huawei.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697621426; a=rsa-sha256;
	cv=none;
	b=vCCHHDfOH93vEb2nOszQGRxNcVnzIkNmBWQoag02sDQK3dolto4fYQXp50ex7dHytgSePm
	BmFhZUSfj+CQSfeoV9hdWuDfjqC4tt++NAe/RolYqGYb7PW5jTDrfdsju7c81K2Ccv5yjk
	AvVjilhmL3eZL5i3jY/azbYrTSL33l4=
Received: from dggpemm500009.china.huawei.com (unknown [172.30.72.56])
	by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4S9QVf0nMPzrTNn;
	Wed, 18 Oct 2023 17:27:38 +0800 (CST)
Received: from huawei.com (10.175.113.32) by dggpemm500009.china.huawei.com
 (7.185.36.225) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Wed, 18 Oct
 2023 17:30:20 +0800
From: Liu Shixin <liushixin2@huawei.com>
To: Catalin Marinas <catalin.marinas@arm.com>, Patrick Wang
	<patrick.wang.shcn@gmail.com>, Andrew Morton <akpm@linux-foundation.org>,
	Kefeng Wang <wangkefeng.wang@huawei.com>
CC: <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>, Liu Shixin
	<liushixin2@huawei.com>
Subject: [PATCH v3 7/7] mm/kmemleak: fix partially freeing unknown object
 warning
Date: Wed, 18 Oct 2023 18:29:52 +0800
Message-ID: <20231018102952.3339837-8-liushixin2@huawei.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20231018102952.3339837-1-liushixin2@huawei.com>
References: <20231018102952.3339837-1-liushixin2@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.175.113.32]
X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To
 dggpemm500009.china.huawei.com (7.185.36.225)
X-CFilter-Loop: Reflected
X-Rspam-User: 
X-Stat-Signature: w5rgdr6czfs633iig3ph3z5fgeozmnbo
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: 0CA8A1C0013
X-HE-Tag: 1697621424-898974
X-HE-Meta: 
 U2FsdGVkX1/3o1baiXjuq+UyYUAS93BKAM4lXXSq3OTZ3MAP7Mh48/bWhFL0hh93qpjpy+1PfoJskFs/G44kH2jDK6DsLcBWbsK1ikT1mw6mH20gdoN8VU+VtxHXFzq5liRO/rxr9yf4UvBmzkRe0PFQuhbCxjTEMacKrFOQJKjTLEDGpTAHf5nIRMtR8JqX4MZK7JS7P3gsoIKam0dC4kmOqcGYL3s4U/UMtHalVRm5LUcjQzWCx22190+1KfrOPn5OG23aOTIZPBc2icVDoZcDXdagf4ElVqPBaT/rPnwByOVecyz1pNCOOmktQMcD1L6ZG4z4oKvsR0GGIwWsRY7ps26HC6Ru0eSftJsl1LxpEpZdRW23Izih77JTOWDhI9KawA/lh25XAoM4UZkLUFIbtMZw03NLClbB2PwUNT1S39p0mH5qizIrDNEmPT23WHjlK+7mlyV3CPEVRb2owxbyMqIUsx4Hc6jJyx2Joctg90tjkuoE1RfWUmUaMPkmdvxCdT/QbTs2MmXElNBXtdx6svZs4O2VKmruCTXHtFDMRRE5ScZTPirBbdBxi5HA8HpkSTbGa2ED97Nw2YO17hllJpRjOqv//LBRBmzpUH994GS/zbZS2jOI4D5R2Sy7bAoYnrqU6isYNMWz2fT8N5Qx0dahIJ5BP1iCuTpxPmWYlKnulX6RiwX7NrJrJfFVh2w578Lrn54vC+UC358MvGPnJC6fB9e37vmGoCJxfwJWa4csJWSadHy1YUsq2LnLxz+J8eaY9vfw6x8p4O9qB1ZhcAdTrHpMBff3+nglpx5kThdVBqLZrMPVD/5BYRl8W3PaZ0HG/JjFcfJhQvXPlj3Yoaw0LpQ+fsHfjMbzkNJ83Hx2WId76mxtXqPMoM0pAuVPhdRmVAFzbao/lH/10u+xzgbJIsMSieDVacOhHA/L+/2hpq2d2B75drb1F5GHhqVeVqnqrTMcOvqrJcq
 VWIjJZFz
 hmyogXwV3frYSfMObdD6ozBijWRcxcsw8n2gDGA7ELsg17cM0J1iJYHM/HwnrNGhtMHlCSlddbNW5EpuiiVx9TX+wGQQcclQdY3JO9OcF/ReukwQVtecXPPUw5I0GhBkqkrRs/jORY2X2p8m1cbXAGYGZkfAH5WIgUmlT/I3KeZ7c5iQTXEq5q2M4fchxzdD3fSS+1GTXz7ZUMie9wRPT+aa8O7aDIkbVsUQlbQ/QfkqPEcG+d3LOr8/fUhiQRs4BReXSFxKWnBYAw29voAmUTcUUKYkoeb45FOl1tBu9ucy8+8CU+z8i2RXC89rkdC0KDEJ18+2WL+/W4yghtRQeMofTpA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

delete_object_part() can be called by multiple callers in the
same time. If an object is found and removed by a caller, and
then another caller try to find it too, it failed and return
directly. It still be recorded by kmemleak even if it has already
been freed to buddy. With DEBUG on, kmemleak will report the
following warning,

 kmemleak: Partially freeing unknown object at 0xa1af86000 (size 4096)
 CPU: 0 PID: 742 Comm: test_huge Not tainted 6.6.0-rc3kmemleak+ #54
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x37/0x50
  kmemleak_free_part_phys+0x50/0x60
  hugetlb_vmemmap_optimize+0x172/0x290
  ? __pfx_vmemmap_remap_pte+0x10/0x10
  __prep_new_hugetlb_folio+0xe/0x30
  prep_new_hugetlb_folio.isra.0+0xe/0x40
  alloc_fresh_hugetlb_folio+0xc3/0xd0
  alloc_surplus_hugetlb_folio.constprop.0+0x6e/0xd0
  hugetlb_acct_memory.part.0+0xe6/0x2a0
  hugetlb_reserve_pages+0x110/0x2c0
  hugetlbfs_file_mmap+0x11d/0x1b0
  mmap_region+0x248/0x9a0
  ? hugetlb_get_unmapped_area+0x15c/0x2d0
  do_mmap+0x38b/0x580
  vm_mmap_pgoff+0xe6/0x190
  ksys_mmap_pgoff+0x18a/0x1f0
  do_syscall_64+0x3f/0x90
  entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Expand __create_object() and move __alloc_object() to the beginning.
Then use kmemleak_lock to protect __find_and_remove_object() and
__link_object() as a whole, which can guarantee all objects are
processed sequentialally.

Fixes: 53238a60dd4a ("kmemleak: Allow partial freeing of memory blocks")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
---
 mm/kmemleak.c | 42 +++++++++++++++++++++++++++++++-----------
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index 7c9125c18956..a956b2734324 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -816,16 +816,25 @@ static void delete_object_full(unsigned long ptr)
  */
 static void delete_object_part(unsigned long ptr, size_t size, bool is_phys)
 {
-	struct kmemleak_object *object;
-	unsigned long start, end;
+	struct kmemleak_object *object, *object_l, *object_r;
+	unsigned long start, end, flags;
+
+	object_l = __alloc_object(GFP_KERNEL);
+	if (!object_l)
+		return;
 
-	object = find_and_remove_object(ptr, 1, is_phys);
+	object_r = __alloc_object(GFP_KERNEL);
+	if (!object_r)
+		goto out;
+
+	raw_spin_lock_irqsave(&kmemleak_lock, flags);
+	object = __find_and_remove_object(ptr, 1, is_phys);
 	if (!object) {
 #ifdef DEBUG
 		kmemleak_warn("Partially freeing unknown object at 0x%08lx (size %zu)\n",
 			      ptr, size);
 #endif
-		return;
+		goto unlock;
 	}
 
 	/*
@@ -835,14 +844,25 @@ static void delete_object_part(unsigned long ptr, size_t size, bool is_phys)
 	 */
 	start = object->pointer;
 	end = object->pointer + object->size;
-	if (ptr > start)
-		__create_object(start, ptr - start, object->min_count,
-			      GFP_KERNEL, is_phys);
-	if (ptr + size < end)
-		__create_object(ptr + size, end - ptr - size, object->min_count,
-			      GFP_KERNEL, is_phys);
+	if ((ptr > start) &&
+	    !__link_object(object_l, start, ptr - start,
+			   object->min_count, is_phys))
+		object_l = NULL;
+	if ((ptr + size < end) &&
+	    !__link_object(object_r, ptr + size, end - ptr - size,
+			   object->min_count, is_phys))
+		object_r = NULL;
+
+unlock:
+	raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+	if (object)
+		__delete_object(object);
 
-	__delete_object(object);
+out:
+	if (object_l)
+		mem_pool_free(object_l);
+	if (object_r)
+		mem_pool_free(object_r);
 }
 
 static void __paint_it(struct kmemleak_object *object, int color)