mm/hmm: Poison hmm_range during unregister

Trying to misuse a range outside its lifetime is a kernel bug. Use poison
bytes to help detect this condition. Double unregister will reliably crash.

Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Acked-by: Souptick Joarder <jrdr.linux@gmail.com>
Reviewed-by: Ralph Campbell <rcampbell@nvidia.com>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Tested-by: Philip Yang <Philip.Yang@amd.com>

diff --git a/mm/hmm.c b/mm/hmm.c
index 2ef14b2..c30aa94 100644 (file)
--- a/mm/hmm.c
+++ b/mm/hmm.c
@@ -925,19 +925,21 @@ void hmm_range_unregister(struct hmm_range *range)
 {
        struct hmm *hmm = range->hmm;
 
-       /* Sanity check this really should not happen. */
-       if (hmm == NULL || range->end <= range->start)
-               return;
-
        mutex_lock(&hmm->lock);
        list_del_init(&range->list);
        mutex_unlock(&hmm->lock);
 
        /* Drop reference taken by hmm_range_register() */
-       range->valid = false;
        mmput(hmm->mm);
        hmm_put(hmm);
-       range->hmm = NULL;
+
+       /*
+        * The range is now invalid and the ref on the hmm is dropped, so
+        * poison the pointer.  Leave other fields in place, for the caller's
+        * use.
+        */
+       range->valid = false;
+       memset(&range->hmm, POISON_INUSE, sizeof(range->hmm));
 }
 EXPORT_SYMBOL(hmm_range_unregister);