mm/kmemleak: simplify kmemleak_cond_resched() usage

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2151065
Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?h=mm-stable&id=6061e740822530a4ef443548b19c4e0bc6342c7a

commit 6061e74
Author: Waiman Long <longman@redhat.com>
Date:   Wed, 18 Jan 2023 23:01:10 -0500

    mm/kmemleak: simplify kmemleak_cond_resched() usage

    Patch series "mm/kmemleak: Simplify kmemleak_cond_resched() & fix UAF", v2.

    It was found that a KASAN use-after-free error was reported in the
    kmemleak_scan() function.  After further examination, it is believe that
    even though a reference is taken from the current object, it does not
    prevent the object pointed to by the next pointer from going away after a
    cond_resched().

    To fix that, additional flags are added to make sure that the current
    object won't be removed from the object_list during the duration of the
    cond_resched() to ensure the validity of the next pointer.

    While making the change, I also simplify the current usage of
    kmemleak_cond_resched() to make it easier to understand.

    This patch (of 2):

    The presence of a pinned argument and the 64k loop count make
    kmemleak_cond_resched() a bit more complex to read.  The pinned argument
    is used only by first kmemleak_scan() loop.

    Simplify the usage of kmemleak_cond_resched() by removing the pinned
    argument and always do a get_object()/put_object() sequence.  In addition,
    the 64k loop is removed by using need_resched() to decide if
    kmemleak_cond_resched() should be called.

    Link: https://lkml.kernel.org/r/20230119040111.350923-1-longman@redhat.com
    Link: https://lkml.kernel.org/r/20230119040111.350923-2-longman@redhat.com
    Signed-off-by: Waiman Long <longman@redhat.com>
    Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Muchun Song <songmuchun@bytedance.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

Signed-off-by: Waiman Long <longman@redhat.com>

Author: Waiman-Long

mm/kmemleak.c

@@ -1466,22 +1466,17 @@ static void scan_gray_list(void)
 /*
  * Conditionally call resched() in an object iteration loop while making sure
  * that the given object won't go away without RCU read lock by performing a
- * get_object() if !pinned.
- *
- * Return: false if can't do a cond_resched() due to get_object() failure
- *	   true otherwise
+ * get_object() if necessaary.
  */
-static bool kmemleak_cond_resched(struct kmemleak_object *object, bool pinned)
+static void kmemleak_cond_resched(struct kmemleak_object *object)
 {
-	if (!pinned && !get_object(object))
-		return false;
+	if (!get_object(object))
+		return;	/* Try next object */
 
 	rcu_read_unlock();
 	cond_resched();
 	rcu_read_lock();
-	if (!pinned)
-		put_object(object);
-	return true;
+	put_object(object);
 }
 
 /*
@@ -1495,15 +1490,12 @@ static void kmemleak_scan(void)
 	struct zone *zone;
 	int __maybe_unused i;
 	int new_leaks = 0;
-	int loop_cnt = 0;
 
 	jiffies_last_scan = jiffies;
 
 	/* prepare the kmemleak_object's */
 	rcu_read_lock();
 	list_for_each_entry_rcu(object, &object_list, object_list) {
-		bool obj_pinned = false;
-
 		raw_spin_lock_irq(&object->lock);
 #ifdef DEBUG
 		/*
@@ -1529,19 +1521,13 @@ static void kmemleak_scan(void)
 
 		/* reset the reference count (whiten the object) */
 		object->count = 0;
-		if (color_gray(object) && get_object(object)) {
+		if (color_gray(object) && get_object(object))
 			list_add_tail(&object->gray_list, &gray_list);
-			obj_pinned = true;
-		}
 
 		raw_spin_unlock_irq(&object->lock);
 
-		/*
-		 * Do a cond_resched() every 64k objects to avoid soft lockup.
-		 */
-		if (!(++loop_cnt & 0xffff) &&
-		    !kmemleak_cond_resched(object, obj_pinned))
-			loop_cnt--; /* Try again on next object */
+		if (need_resched())
+			kmemleak_cond_resched(object);
 	}
 	rcu_read_unlock();
 
@@ -1608,14 +1594,9 @@ static void kmemleak_scan(void)
 	 * scan and color them gray until the next scan.
 	 */
 	rcu_read_lock();
-	loop_cnt = 0;
 	list_for_each_entry_rcu(object, &object_list, object_list) {
-		/*
-		 * Do a cond_resched() every 64k objects to avoid soft lockup.
-		 */
-		if (!(++loop_cnt & 0xffff) &&
-		    !kmemleak_cond_resched(object, false))
-			loop_cnt--;	/* Try again on next object */
+		if (need_resched())
+			kmemleak_cond_resched(object);
 
 		/*
 		 * This is racy but we can save the overhead of lock/unlock
@@ -1650,14 +1631,9 @@ static void kmemleak_scan(void)
 	 * Scanning result reporting.
 	 */
 	rcu_read_lock();
-	loop_cnt = 0;
 	list_for_each_entry_rcu(object, &object_list, object_list) {
-		/*
-		 * Do a cond_resched() every 64k objects to avoid soft lockup.
-		 */
-		if (!(++loop_cnt & 0xffff) &&
-		    !kmemleak_cond_resched(object, false))
-			loop_cnt--;	/* Try again on next object */
+		if (need_resched())
+			kmemleak_cond_resched(object);
 
 		/*
 		 * This is racy but we can save the overhead of lock/unlock