Commit 2dcc3eb8 authored by Jason Gunthorpe's avatar Jason Gunthorpe
Browse files

mm/hmm: Poison hmm_range during unregister 



Trying to misuse a range outside its lifetime is a kernel bug. Use poison
bytes to help detect this condition. Double unregister will reliably crash.

Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
Reviewed-by: default avatarJérôme Glisse <jglisse@redhat.com>
Reviewed-by: default avatarJohn Hubbard <jhubbard@nvidia.com>
Acked-by: default avatarSouptick Joarder <jrdr.linux@gmail.com>
Reviewed-by: default avatarRalph Campbell <rcampbell@nvidia.com>
Reviewed-by: default avatarIra Weiny <ira.weiny@intel.com>
Tested-by: default avatarPhilip Yang <Philip.Yang@amd.com>
parent 187229c2

mm/hmm.c

+8 −6
Original line number Original line Diff line number Diff line
@@ -925,19 +925,21 @@ void hmm_range_unregister(struct hmm_range *range) 
{

{

	struct hmm *hmm = range->hmm;

	struct hmm *hmm = range->hmm;





	/* Sanity check this really should not happen. */

	if (hmm == NULL || range->end <= range->start)

		return;



	mutex_lock(&hmm->lock);

	mutex_lock(&hmm->lock);

	list_del_init(&range->list);

	list_del_init(&range->list);

	mutex_unlock(&hmm->lock);

	mutex_unlock(&hmm->lock);





	/* Drop reference taken by hmm_range_register() */

	/* Drop reference taken by hmm_range_register() */

	range->valid = false;

	mmput(hmm->mm);

	mmput(hmm->mm);

	hmm_put(hmm);

	hmm_put(hmm);

	range->hmm = NULL;



	/*

	 * The range is now invalid and the ref on the hmm is dropped, so

	 * poison the pointer.  Leave other fields in place, for the caller's

	 * use.

	 */

	range->valid = false;

	memset(&range->hmm, POISON_INUSE, sizeof(range->hmm));

}

}

EXPORT_SYMBOL(hmm_range_unregister);

EXPORT_SYMBOL(hmm_range_unregister);

CRA Git | Maintained and supported by SUSTech CRA and CCSE