From: Ingo Molnar <mingo@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
Linus Torvalds <torvalds@linuxfoundation.org>,
x86@kernel.org, Andy Lutomirski <luto@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Borislav Petkov <bp@alien8.de>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Subject: Re: [patch 1/3] x86/ldt: Free the right LDT memory in write_ldt() error path
Date: Sat, 30 Dec 2017 22:33:37 +0100 [thread overview]
Message-ID: <20171230213337.tns3dtj7z526bvf2@gmail.com> (raw)
In-Reply-To: <20171230211829.508293470@linutronix.de>
* Thomas Gleixner <tglx@linutronix.de> wrote:
> The error path in write_ldt() frees the already installed LDT memory
> instead of the newly allocated which cannot be installed.
s/newly allocated
/newly allocated one
>
> Fixes: f55f0501cbf6 ("x86/pti: Put the LDT in its own PGD if PTI is on")
> Reported-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> ---
> arch/x86/kernel/ldt.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/arch/x86/kernel/ldt.c
> +++ b/arch/x86/kernel/ldt.c
> @@ -421,7 +421,7 @@ static int write_ldt(void __user *ptr, u
> */
> error = map_ldt_struct(mm, new_ldt, old_ldt ? !old_ldt->slot : 0);
> if (error) {
> - free_ldt_struct(old_ldt);
> + free_ldt_struct(new_ldt);
> goto out_unlock;
> }
>
This bug kind of scares me ...
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Thanks,
Ingo
next prev parent reply other threads:[~2017-12-30 21:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-30 21:13 [patch 0/3] x86/pti: Fix various fallout Thomas Gleixner
2017-12-30 21:13 ` [patch 1/3] x86/ldt: Free the right LDT memory in write_ldt() error path Thomas Gleixner
2017-12-30 21:33 ` Ingo Molnar [this message]
2017-12-31 10:24 ` [patch V2 1/3] x86/ldt: Plug memory leak in " Thomas Gleixner
2017-12-31 15:23 ` Andy Lutomirski
2017-12-30 21:13 ` [patch 2/3] x86/smpboot: Remove stale tlb flush invocations Thomas Gleixner
2017-12-30 21:32 ` Ingo Molnar
2017-12-30 21:13 ` [patch 3/3] x86/mm: Remove preempt_disable/enable() from __native_flush_tlb() Thomas Gleixner
2017-12-30 21:31 ` Ingo Molnar
2017-12-30 21:35 ` [patch 0/3] x86/pti: Fix various fallout Ingo Molnar
2017-12-30 22:06 ` Linus Torvalds
2017-12-31 2:23 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171230213337.tns3dtj7z526bvf2@gmail.com \
--to=mingo@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linuxfoundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.