From nobody Sun Dec 29 12:24:08 2024 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1E2DF374CC for <linux-kernel@vger.kernel.org>; Sat, 21 Dec 2024 06:16:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734761775; cv=none; b=d3LBPmpvGxk+1h+D5bdEuj+9sdJhp/XXeoAMmxJfQQ7TKi5o1EV57M2uOidNOpPhfY1nQMIfq70HJqMr1rFGtO1yC60SRVigukB9mHg7OA72xyReWo4knDCNFy631T3zhLSqpeM2ZJCSp+xFamo85rB7Kd+N/n60U9TBkct4qbI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734761775; c=relaxed/simple; bh=u0vl0Rf1lHJ2are7LUeZd8fQx4X8a5rnXg1qxvU4VAs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=PA6JyeaJB50bdMqiZCw4HYwIiOD1LVNh0yxKYUgEBeHQQgcoVV84YoogNEhtwMlhsn4N6vI+KheEcWwWhhtH1VPRvLlQAqzkfkEio+8Flw4xKAMmKUVVTw6bNAqrOVsziq+lfzGCTksS2zqM/1BiXGs89TOodqaQF3Xn38DnBSE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lY3cULgg; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lY3cULgg" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-21644aca3a0so28861585ad.3 for <linux-kernel@vger.kernel.org>; Fri, 20 Dec 2024 22:16:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734761773; x=1735366573; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DxMw5pr+cn2iWdWlaypQGJNPCrri4vNAREcEEbHLXas=; b=lY3cULggUtEjX9/OZYElQBS5RpPPlC0TfXNQqxYSpuDm21Fx/8zqGLGxiTGXNryK+9 z3RlCtbwatdI20Wbnp831lUfJyjyVu+JrT2a40+I2JPzvY/DIA/mmsMeoYu3Qny/Z1SW 5W/lC2QD46RhImkfb9n7w9NqMNZQf9I3WHBIP85jjpnMxFD8wtCRlkvNOxnBntE9VLfk 60Gzw5qJr/9Sr8dDQEbVrbo8cfGsLM45KQI+jce+2/eh9E8Tbiq1UGshrbqYkqq6U9Pl fp4CeXHVBFH5f6AGDUOI0msMsiGrXu1lWpfdtdWykVCA7b7eK+JKzf9xgS1h9G9As2A8 DdFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734761773; x=1735366573; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DxMw5pr+cn2iWdWlaypQGJNPCrri4vNAREcEEbHLXas=; b=wFg2KmWaDdP3Tgdd5mcZckcKjW9TTuF5Z8aA9DvoDPh+U8cJedqAJS7sxhk/k/cUG/ Q8TtpwfWTX/NVPmnp5MtPAx4ecoY/gqEl5K2onuEuqmvtKUTg0XP3geihD9ltX8gT9Ri Q4WS4Bus7cze1+VQ9/U/F2Q1bOvSHp1N3EZPPHJpJIsTyaqCWDhF01MRN+xiPccxSRfA vC20gkuIhXOgGZmlH29huU1DXNLzhk4AK4CFzTSu2zMYfHGnvhPrSX0fEWx1izKa4VQ7 WTfWb5RxsJP5z6n92ebalz5jY1G86FqtiTyAT8W4iySTmPt2fc9FbMmJKu8WkrjTfFGA ArfA== X-Forwarded-Encrypted: i=1; AJvYcCW1Pdty2BaoisV3OJG549gHHOvppg0Yx0yj92QjS06ysrDSfW7u1n81npj2YKwmO55Mm07BOS01DATMLpo=@vger.kernel.org X-Gm-Message-State: AOJu0YyaQzK0gtUd9tSSfZOhWMkTPto/i020yOU3F5EEGZQpT1CxhZV/ kqBExCvncsmOxDUBjHk7wcIntl86nxAPgzyIQF2UpbdLlZW5ELqC X-Gm-Gg: ASbGncuaSHgYR0JdrtK/RTXSLnNY0I+GfrUjWhtN5w2c0FYuqlBMhqDBN0sbN0pNXJ8 AgiPby8L1S7xQjJdnue8GCAjml0pLGhazmiOp72aQ9dgYmgWG+sO28EChLqwctTYO8ZL33+5RTt Bx8/oPjxQ+AM5cZLGtbqepwcXT0b1gelalpPeXApzWcppgeIJ/8AGd9cw+08hfL/aqhgRw94E5c UUmvuLI3cKaHrZ2nrapagHdL5uJ5U1AtgwDGvOVfyYz4vAqGqfTeAQUhhGQJA== X-Google-Smtp-Source: AGHT+IFfMI0gxAe2PtoNfCvqGd/kmcM4hKdd7L8C5xKLQZtXr5gOQKhbct4YzzWjxFZjHkOzcCAlaw== X-Received: by 2002:a17:902:dace:b0:216:4064:53ad with SMTP id d9443c01a7336-219e6f26fd6mr71904285ad.48.1734761773331; Fri, 20 Dec 2024 22:16:13 -0800 (PST) Received: from HOME-PC ([223.185.132.235]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-219dc962cddsm38383835ad.48.2024.12.20.22.16.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Dec 2024 22:16:13 -0800 (PST) From: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com> To: edumazet@google.com, jasowang@redhat.com Cc: akpm@linux-foundation.org, surenb@google.com, jack@suse.cz, linux-kernel@vger.kernel.org, Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com> Subject: [PATCH include] ptr_ring: fix potential race in ptr_ring_resize_multiple_bh_noprof Date: Sat, 21 Dec 2024 11:45:55 +0530 Message-Id: <20241221061555.1071516-2-dheeraj.linuxdev@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20241221061555.1071516-1-dheeraj.linuxdev@gmail.com> References: <20241221061555.1071516-1-dheeraj.linuxdev@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The ptr_ring_resize_multiple_bh_noprof function may have a race condition where queues[i] is freed after releasing the locks. Since this function can be called from multiple threads, another thread could potentially modify queues[i] between the unlock and kvfree operations. Move the kvfree inside the critical section to ensure atomicity of the queue swap and cleanup operations. Fixes: 59e6ae53248a("ptr_ring: support resizing multiple queues") Closes: https://scan7.scan.coverity.com/#/project-view/52337/11354?selected= Issue=3D1602644 Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com> --- include/linux/ptr_ring.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h index 551329220e4f..cb06c74fc791 100644 --- a/include/linux/ptr_ring.h +++ b/include/linux/ptr_ring.h @@ -641,13 +641,11 @@ static inline int ptr_ring_resize_multiple_bh_noprof(= struct ptr_ring **rings, spin_lock(&(rings[i])->producer_lock); queues[i] =3D __ptr_ring_swap_queue(rings[i], queues[i], size, gfp, destroy); + kvfree(queues[i]); spin_unlock(&(rings[i])->producer_lock); spin_unlock_bh(&(rings[i])->consumer_lock); } =20 - for (i =3D 0; i < nrings; ++i) - kvfree(queues[i]); - kfree(queues); =20 return 0; --=20 2.34.1