From patchwork Mon Sep 30 07:06:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Huang, Ying" X-Patchwork-Id: 13815445 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0293BCF6497 for ; Mon, 30 Sep 2024 07:06:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4F63880014; Mon, 30 Sep 2024 03:06:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4A4BF80012; Mon, 30 Sep 2024 03:06:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3510480014; Mon, 30 Sep 2024 03:06:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 14E9280012 for ; Mon, 30 Sep 2024 03:06:34 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id B8B8F121ADB for ; Mon, 30 Sep 2024 07:06:33 +0000 (UTC) X-FDA: 82620521466.20.E62547D Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) by imf05.hostedemail.com (Postfix) with ESMTP id E94FC100012 for ; Mon, 30 Sep 2024 07:06:30 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=HnyEjing; spf=pass (imf05.hostedemail.com: domain of ying.huang@intel.com designates 192.198.163.14 as permitted sender) smtp.mailfrom=ying.huang@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727679953; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=lw2DcFE3s1ZfVdvcWcPXrlqJtZXtBGPJIzBk54S6bC0=; b=3qacADq+dIauqDSJTKka7rgexEmQnq2hk9O9FnDKZ9Z7r6Q8LnEIASgcG8wWGJIKsjK+0W p2XycvyGnx1XYNWMxN0Ir/fR2vSFBCnwr4t/TsLN9A2xCUQ0zL0Gsez8R2w50+G/64JEDk Tjs+7uJlK1S5dS6PFbzHX1m63mA7Im4= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=HnyEjing; spf=pass (imf05.hostedemail.com: domain of ying.huang@intel.com designates 192.198.163.14 as permitted sender) smtp.mailfrom=ying.huang@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727679953; a=rsa-sha256; cv=none; b=WUGQQ7OA3vmZq2xqg7O0Q3dAFr2QsAqDEPktsIZ1afGmNvwOwilguw8T3BJtgT3Bl0sNaH aOtgu3FzifVxtJxQWHWo53IcTEPyPqEAmLCzw33lAUafda/Drw7fYH3nPiVwShAYZ8vvUV JwJtrMKeT2PWpmfDFaC/MqjpaNwyvcQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1727679991; x=1759215991; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=PB0MEC1CKGl5nX9ER1cPtNYmSWES5H/VnZiXDThMwbA=; b=HnyEjingArOmNwHojoi0UowKyTZ3OypLKwz6758SILLiryj0nemBqyi5 cEk6mvQbBa7FIIO/toWHr/jyjCZJyzEW/38iWTGkz+gRGmDzurq+B8gUD G6vj5GtQSE+TTdvMf+W2HW350s8ctjhqfza2f4kXEV1HtQuUR21wZXhrp Aa7BeC9beqMin32JTGPW5dW2NUvRCW+Fkie0m/HlB7/Fb6/Oe4PAcJzqm 5kazqBw3n4Ru6ApvmIBBtNKiJHuKVS9WPi9JQ/YUBDzygEPt+M89Otf0+ z9hlT70RWfmsnfUp3Hr3G2NqTUq/7Ipa9NTaFVlgi+VkOxnKD4tqMf3Fk A==; X-CSE-ConnectionGUID: YdzZjz+kQlCP+Rt2PdkcRw== X-CSE-MsgGUID: VkKbI01SQ82pHrt4qUjB7A== X-IronPort-AV: E=McAfee;i="6700,10204,11210"; a="26925483" X-IronPort-AV: E=Sophos;i="6.11,165,1725346800"; d="scan'208";a="26925483" Received: from orviesa002.jf.intel.com ([10.64.159.142]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2024 00:06:29 -0700 X-CSE-ConnectionGUID: AXnZssvLRtCqvA+3eaPI4A== X-CSE-MsgGUID: HfY1+I/lThyzjk6e2QLVfw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.11,165,1725346800"; d="scan'208";a="103989457" Received: from liyihao-mobl.ccr.corp.intel.com (HELO yhuang6-mobl2.ccr.corp.intel.com) ([10.124.238.112]) by orviesa002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Sep 2024 00:06:28 -0700 From: Huang Ying To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Huang Ying , Kees Bakker , Dan Williams , David Hildenbrand , Bjorn Helgaas Subject: [PATCH] resource, kunit: Fix user-after-free in resource_test_region_intersects() Date: Mon, 30 Sep 2024 15:06:11 +0800 Message-Id: <20240930070611.353338-1-ying.huang@intel.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Rspam-User: X-Stat-Signature: ktromd9tb3qd4k4w76ps7y9hs6wpdy1u X-Rspamd-Queue-Id: E94FC100012 X-Rspamd-Server: rspam11 X-HE-Tag: 1727679990-333395 X-HE-Meta: U2FsdGVkX19aa63AtGETfZq2nTLGdzD0+jL8QFdKU1ONa3w9rojGFkP1/eEznS0f67OtYmAw8JWe1fdEB1VF2GE4r3XnwSWQMkVraEVl/mpnlrFMyUEQrq1udT36Upk8ye6jzequSuEA9wZGNWTE7xMcsCTZa6nop0IDqftODWZvnYtN1ml2AZ8x/vSf7A6tsTrSjJAOQU4cOXFTqS59SWRQ15nR2BX1zp+gJCqxGqwaNvwA62IT6ZIWkm29bpV9fp3zOZjOlxMYGUbRriONoESB4eMuzfFtq0/RW4rF9v3nbV2wshLMZRIQrD8C7YT57ZWpGNBExvx97dtK8tuu4YTB0v+UWaW+vzzNCnmRVZsHfqSvO9t3HMopA7rWYbZ0/Ee33HeukwTGXLTc8H7sOUnxjBwVAcQUvQu7rr99eBn1jh3IWgpDEwZOVqoeuN2o4Jtoka4YL5hI46gpFHZUAMfwyIT1ayAznkY+Km8Zr8xcKgOKDMxmq6eUTkYCGmqYy/WfLw9RUgJJ9NRjW3cJ4o15hO8hjEtNAH9Zqz1ieDlC/hcWxi2VpF3BeDl1dF/Re/BCRZPJl7+mBSrIfIvGq3uWKVWQv12g2UeBwDRIdUM3oms7lI9Pq4MZx3tIpvMDoK/TQ0EoyAPPRieqGF/vZQizbyqCN9Lo1SniKjYuJrtv6jZvYiHE6W7g+Bnnzv/GKdi3hCQsJLLpv1PmDTdIHg2/toWpAlKilUqklIRmaLhHuK4wMueY9S8hc23SBQVWlVemYNMnlzPZwc1BujYEHbnhzjSmA7r5oxMr+6nPK2VRRA3uvRTnffYVpPF7eRgUqXkSKDW8F5HBuhzUwiPG69M3edutzmWJLNOAwBAqVZhl9wsOLUugE9h0/Tyd219TgFCD8iDqbJKhamYn0oDZEsUYehtPIulmQBqPFPVbOqhbuCJ4z2AFiYX0RO8uqCVjw46ZPgQTI5VVuKwM3Nq 0wtEL0Na UalkyZxHnzvyUiNuQ9bp8DqECI4Kv9g9yE0rVu2E0s+QP8PIUq1GsuBPmkGD9wvte5ftm0pHqYXtZitFOOfZEYX60WurkhzX47q61/MZhmlF5BGJafCHyRltJuy5ptc/YSvGS5PpL0HXrAuSiwKdHQEGh+FwsANafaT3uxCyjxRfFpnOpuWpbKmttci6qsKWtlPLmpQ3Jlv9pfZJyIFD5X9DfpmmYs0oMnj8guvOESF2Tdc8ek+O38bsqmN8lgZOFK8+oL287McOIy4O6q9HTjK6Moswp7JSpmjJ2Akk+4AC+wnWLFyL6H7m2qVq0kGhkym/n/rNcUr+cEuNGA5e3KWpKDGipJ87mMLTK X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: In resource_test_insert_resource(), the pointer is used in error message after kfree(). This is user-after-free. To fix this, we need to call kunit_add_action_or_reset() to schedule memory freeing after usage. But kunit_add_action_or_reset() itself may fail and free the memory. So, its return value should be checked and abort the test for failure. Then, we found that other usage of kunit_add_action_or_reset() in resource_test_region_intersects() needs to be fixed too. We fix all these user-after-free bugs in this patch. Fixes: 99185c10d5d9 ("resource, kunit: add test case for region_intersects()") Signed-off-by: "Huang, Ying" Reported-by: Kees Bakker Closes: https://lore.kernel.org/lkml/87ldzaotcg.fsf@yhuang6-desk2.ccr.corp.intel.com/ Cc: Dan Williams Cc: David Hildenbrand Cc: Bjorn Helgaas --- kernel/resource_kunit.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/kernel/resource_kunit.c b/kernel/resource_kunit.c index 42d2d8d20f5d..b8ef75b99eb2 100644 --- a/kernel/resource_kunit.c +++ b/kernel/resource_kunit.c @@ -169,6 +169,8 @@ static void resource_test_intersection(struct kunit *test) #define RES_TEST_RAM3_SIZE SZ_1M #define RES_TEST_TOTAL_SIZE ((RES_TEST_WIN1_OFFSET + RES_TEST_WIN1_SIZE)) +KUNIT_DEFINE_ACTION_WRAPPER(kfree_wrapper, kfree, const void *); + static void remove_free_resource(void *ctx) { struct resource *res = (struct resource *)ctx; @@ -177,6 +179,14 @@ static void remove_free_resource(void *ctx) kfree(res); } +static void resource_test_add_action_or_abort( + struct kunit *test, void (*action)(void *), void *ctx) +{ + KUNIT_ASSERT_EQ_MSG(test, 0, + kunit_add_action_or_reset(test, action, ctx), + "Fail to add action"); +} + static void resource_test_request_region(struct kunit *test, struct resource *parent, resource_size_t start, resource_size_t size, const char *name, unsigned long flags) @@ -185,7 +195,7 @@ static void resource_test_request_region(struct kunit *test, struct resource *pa res = __request_region(parent, start, size, name, flags); KUNIT_ASSERT_NOT_NULL(test, res); - kunit_add_action_or_reset(test, remove_free_resource, res); + resource_test_add_action_or_abort(test, remove_free_resource, res); } static void resource_test_insert_resource(struct kunit *test, struct resource *parent, @@ -202,11 +212,11 @@ static void resource_test_insert_resource(struct kunit *test, struct resource *p res->end = start + size - 1; res->flags = flags; if (insert_resource(parent, res)) { - kfree(res); + resource_test_add_action_or_abort(test, kfree_wrapper, res); KUNIT_FAIL_AND_ABORT(test, "Fail to insert resource %pR\n", res); } - kunit_add_action_or_reset(test, remove_free_resource, res); + resource_test_add_action_or_abort(test, remove_free_resource, res); } static void resource_test_region_intersects(struct kunit *test) @@ -220,7 +230,7 @@ static void resource_test_region_intersects(struct kunit *test) "test resources"); KUNIT_ASSERT_NOT_ERR_OR_NULL(test, parent); start = parent->start; - kunit_add_action_or_reset(test, remove_free_resource, parent); + resource_test_add_action_or_abort(test, remove_free_resource, parent); resource_test_request_region(test, parent, start + RES_TEST_RAM0_OFFSET, RES_TEST_RAM0_SIZE, "Test System RAM 0", flags);