From nobody Sun Dec 29 12:24:08 2024
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E2DF374CC
	for <linux-kernel@vger.kernel.org>; Sat, 21 Dec 2024 06:16:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1734761775; cv=none;
 b=d3LBPmpvGxk+1h+D5bdEuj+9sdJhp/XXeoAMmxJfQQ7TKi5o1EV57M2uOidNOpPhfY1nQMIfq70HJqMr1rFGtO1yC60SRVigukB9mHg7OA72xyReWo4knDCNFy631T3zhLSqpeM2ZJCSp+xFamo85rB7Kd+N/n60U9TBkct4qbI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1734761775; c=relaxed/simple;
	bh=u0vl0Rf1lHJ2are7LUeZd8fQx4X8a5rnXg1qxvU4VAs=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=PA6JyeaJB50bdMqiZCw4HYwIiOD1LVNh0yxKYUgEBeHQQgcoVV84YoogNEhtwMlhsn4N6vI+KheEcWwWhhtH1VPRvLlQAqzkfkEio+8Flw4xKAMmKUVVTw6bNAqrOVsziq+lfzGCTksS2zqM/1BiXGs89TOodqaQF3Xn38DnBSE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=lY3cULgg; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="lY3cULgg"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-21644aca3a0so28861585ad.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 20 Dec 2024 22:16:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1734761773; x=1735366573;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=DxMw5pr+cn2iWdWlaypQGJNPCrri4vNAREcEEbHLXas=;
        b=lY3cULggUtEjX9/OZYElQBS5RpPPlC0TfXNQqxYSpuDm21Fx/8zqGLGxiTGXNryK+9
         z3RlCtbwatdI20Wbnp831lUfJyjyVu+JrT2a40+I2JPzvY/DIA/mmsMeoYu3Qny/Z1SW
         5W/lC2QD46RhImkfb9n7w9NqMNZQf9I3WHBIP85jjpnMxFD8wtCRlkvNOxnBntE9VLfk
         60Gzw5qJr/9Sr8dDQEbVrbo8cfGsLM45KQI+jce+2/eh9E8Tbiq1UGshrbqYkqq6U9Pl
         fp4CeXHVBFH5f6AGDUOI0msMsiGrXu1lWpfdtdWykVCA7b7eK+JKzf9xgS1h9G9As2A8
         DdFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1734761773; x=1735366573;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=DxMw5pr+cn2iWdWlaypQGJNPCrri4vNAREcEEbHLXas=;
        b=wFg2KmWaDdP3Tgdd5mcZckcKjW9TTuF5Z8aA9DvoDPh+U8cJedqAJS7sxhk/k/cUG/
         Q8TtpwfWTX/NVPmnp5MtPAx4ecoY/gqEl5K2onuEuqmvtKUTg0XP3geihD9ltX8gT9Ri
         Q4WS4Bus7cze1+VQ9/U/F2Q1bOvSHp1N3EZPPHJpJIsTyaqCWDhF01MRN+xiPccxSRfA
         vC20gkuIhXOgGZmlH29huU1DXNLzhk4AK4CFzTSu2zMYfHGnvhPrSX0fEWx1izKa4VQ7
         WTfWb5RxsJP5z6n92ebalz5jY1G86FqtiTyAT8W4iySTmPt2fc9FbMmJKu8WkrjTfFGA
         ArfA==
X-Forwarded-Encrypted: i=1;
 AJvYcCW1Pdty2BaoisV3OJG549gHHOvppg0Yx0yj92QjS06ysrDSfW7u1n81npj2YKwmO55Mm07BOS01DATMLpo=@vger.kernel.org
X-Gm-Message-State: AOJu0YyaQzK0gtUd9tSSfZOhWMkTPto/i020yOU3F5EEGZQpT1CxhZV/
	kqBExCvncsmOxDUBjHk7wcIntl86nxAPgzyIQF2UpbdLlZW5ELqC
X-Gm-Gg: ASbGncuaSHgYR0JdrtK/RTXSLnNY0I+GfrUjWhtN5w2c0FYuqlBMhqDBN0sbN0pNXJ8
	AgiPby8L1S7xQjJdnue8GCAjml0pLGhazmiOp72aQ9dgYmgWG+sO28EChLqwctTYO8ZL33+5RTt
	Bx8/oPjxQ+AM5cZLGtbqepwcXT0b1gelalpPeXApzWcppgeIJ/8AGd9cw+08hfL/aqhgRw94E5c
	UUmvuLI3cKaHrZ2nrapagHdL5uJ5U1AtgwDGvOVfyYz4vAqGqfTeAQUhhGQJA==
X-Google-Smtp-Source: 
 AGHT+IFfMI0gxAe2PtoNfCvqGd/kmcM4hKdd7L8C5xKLQZtXr5gOQKhbct4YzzWjxFZjHkOzcCAlaw==
X-Received: by 2002:a17:902:dace:b0:216:4064:53ad with SMTP id
 d9443c01a7336-219e6f26fd6mr71904285ad.48.1734761773331;
        Fri, 20 Dec 2024 22:16:13 -0800 (PST)
Received: from HOME-PC ([223.185.132.235])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-219dc962cddsm38383835ad.48.2024.12.20.22.16.12
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Dec 2024 22:16:13 -0800 (PST)
From: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
To: edumazet@google.com,
	jasowang@redhat.com
Cc: akpm@linux-foundation.org,
	surenb@google.com,
	jack@suse.cz,
	linux-kernel@vger.kernel.org,
	Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
Subject: [PATCH include] ptr_ring: fix potential race in
 ptr_ring_resize_multiple_bh_noprof
Date: Sat, 21 Dec 2024 11:45:55 +0530
Message-Id: <20241221061555.1071516-2-dheeraj.linuxdev@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20241221061555.1071516-1-dheeraj.linuxdev@gmail.com>
References: <20241221061555.1071516-1-dheeraj.linuxdev@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The ptr_ring_resize_multiple_bh_noprof function may have a race condition
where queues[i] is freed after releasing the locks. Since this function
can be called from multiple threads, another thread could potentially modify
queues[i] between the unlock and kvfree operations.

Move the kvfree inside the critical section to ensure atomicity of the
queue swap and cleanup operations.

Fixes: 59e6ae53248a("ptr_ring: support resizing multiple queues")
Closes: https://scan7.scan.coverity.com/#/project-view/52337/11354?selected=
Issue=3D1602644
Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
---
 include/linux/ptr_ring.h | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
index 551329220e4f..cb06c74fc791 100644
--- a/include/linux/ptr_ring.h
+++ b/include/linux/ptr_ring.h
@@ -641,13 +641,11 @@ static inline int ptr_ring_resize_multiple_bh_noprof(=
struct ptr_ring **rings,
 		spin_lock(&(rings[i])->producer_lock);
 		queues[i] =3D __ptr_ring_swap_queue(rings[i], queues[i],
 						  size, gfp, destroy);
+		kvfree(queues[i]);
 		spin_unlock(&(rings[i])->producer_lock);
 		spin_unlock_bh(&(rings[i])->consumer_lock);
 	}
=20
-	for (i =3D 0; i < nrings; ++i)
-		kvfree(queues[i]);
-
 	kfree(queues);
=20
 	return 0;
--=20
2.34.1