linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
	Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
	Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Nick Piggin <npiggin@suse.de>,
	Vegard Nossum <vegard.nossum@gmail.com>,
	Pekka Enberg <penberg@cs.helsinki.fi>,
	Ingo Molnar <mingo@elte.hu>,
	"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Subject: [patch 013/114] mm: fix lazy vmap purging (use-after-free error)
Date: Fri, 13 Mar 2009 18:09:50 -0700	[thread overview]
Message-ID: <20090314011033.285021056@mini.kroah.org> (raw)
In-Reply-To: <20090314011649.GA26170@kroah.com>

[-- Attachment #1: mm-fix-lazy-vmap-purging.patch --]
[-- Type: text/plain, Size: 2901 bytes --]

2.6.28-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Vegard Nossum <vegard.nossum@gmail.com>

commit cbb766766f3f2f6d9326c561b1020590642c6e39 upstream.

I just got this new warning from kmemcheck:

    WARNING: kmemcheck: Caught 32-bit read from freed memory (c7806a60)
    a06a80c7ecde70c1a04080c700000000a06709c1000000000000000000000000
     f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f
     ^

    Pid: 0, comm: swapper Not tainted (2.6.29-rc4 #230)
    EIP: 0060:[<c1096df7>] EFLAGS: 00000286 CPU: 0
    EIP is at __purge_vmap_area_lazy+0x117/0x140
    EAX: 00070f43 EBX: c7806a40 ECX: c1677080 EDX: 00027b66
    ESI: 00002001 EDI: c170df0c EBP: c170df00 ESP: c178830c
     DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
    CR0: 80050033 CR2: c7806b14 CR3: 01775000 CR4: 00000690
    DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
    DR6: 00004000 DR7: 00000000
     [<c1096f3e>] free_unmap_vmap_area_noflush+0x6e/0x70
     [<c1096f6a>] remove_vm_area+0x2a/0x70
     [<c1097025>] __vunmap+0x45/0xe0
     [<c10970de>] vunmap+0x1e/0x30
     [<c1008ba5>] text_poke+0x95/0x150
     [<c1008ca9>] alternatives_smp_unlock+0x49/0x60
     [<c171ef47>] alternative_instructions+0x11b/0x124
     [<c171f991>] check_bugs+0xbd/0xdc
     [<c17148c5>] start_kernel+0x2ed/0x360
     [<c171409e>] __init_begin+0x9e/0xa9
     [<ffffffff>] 0xffffffff

It happened here:

    $ addr2line -e vmlinux -i c1096df7
    mm/vmalloc.c:540

Code:

	list_for_each_entry(va, &valist, purge_list)
		__free_vmap_area(va);

It's this instruction:

    mov    0x20(%ebx),%edx

Which corresponds to a dereference of va->purge_list.next:

    (gdb) p ((struct vmap_area *) 0)->purge_list.next
    Cannot access memory at address 0x20

It seems that we should use "safe" list traversal here, as the element
is freed inside the loop. Please verify that this is the right fix.

Acked-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 mm/vmalloc.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -476,6 +476,7 @@ static void __purge_vmap_area_lazy(unsig
 	static DEFINE_SPINLOCK(purge_lock);
 	LIST_HEAD(valist);
 	struct vmap_area *va;
+	struct vmap_area *n_va;
 	int nr = 0;
 
 	/*
@@ -515,7 +516,7 @@ static void __purge_vmap_area_lazy(unsig
 
 	if (nr) {
 		spin_lock(&vmap_area_lock);
-		list_for_each_entry(va, &valist, purge_list)
+		list_for_each_entry_safe(va, n_va, &valist, purge_list)
 			__free_vmap_area(va);
 		spin_unlock(&vmap_area_lock);
 	}



  parent reply	other threads:[~2009-03-14  1:24 UTC|newest]

Thread overview: 117+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20090314010937.416083662@mini.kroah.org>
2009-03-14  1:16 ` [patch 000/114] 2.6.28.8-stable review Greg KH
2009-03-14  1:09   ` [patch 001/114] net: amend the fix for SO_BSDCOMPAT gsopt infoleak Greg KH
2009-03-14  1:09   ` [patch 002/114] net: Kill skb_truesize_check(), it only catches false-positives Greg KH
2009-03-14  1:09   ` [patch 003/114] sparc64: Fix crashes in jbusmc_print_dimm() Greg KH
2009-03-14  1:09   ` [patch 004/114] sparc64: Fix DAX handling via userspace access from kernel Greg KH
2009-03-14  1:09   ` [patch 005/114] vfs: separate FMODE_PREAD/FMODE_PWRITE into separate flags Greg KH
2009-03-14  1:09   ` [patch 006/114] seq_file: properly cope with pread Greg KH
2009-03-14  1:09   ` [patch 007/114] vt: Declare PIO_CMAP/GIO_CMAP as compatbile ioctls Greg KH
2009-03-14  1:09   ` [patch 008/114] timerfd: add flags check Greg KH
2009-03-14  1:09   ` [patch 009/114] aoe: ignore vendor extension AoE responses Greg KH
2009-03-14  1:09   ` [patch 010/114] mm: clean up for early_pfn_to_nid() Greg KH
2009-03-14  1:09   ` [patch 011/114] mm: fix memmap init for handling memory hole Greg KH
2009-03-14  1:09   ` [patch 012/114] [CIFS] Fix oops in cifs_strfromUCS_le mounting to servers which do not specify their OS Greg KH
2009-03-14  1:09   ` Greg KH [this message]
2009-03-14  1:09   ` [patch 014/114] mm: vmap fix overflow Greg KH
2009-03-14  1:09   ` [patch 015/114] PCI quirk: enable MSI on 8132 Greg KH
2009-03-14  1:09   ` [patch 016/114] SCSI: hptiop: Add new PCI device ID Greg KH
2009-03-14  1:09   ` [patch 017/114] JFFS2: fix mount crash caused by removed nodes Greg KH
2009-03-14  1:09   ` [patch 018/114] SCSI: sd: revive sd_index_lock Greg KH
2009-03-14  1:09   ` [patch 019/114] USB: usb_get_string should check the descriptor type Greg KH
2009-03-14  1:09   ` [patch 020/114] USB: usb-storage: add IGNORE_RESIDUE flag for Genesys Logic adapters Greg KH
2009-03-14  1:09   ` [patch 021/114] USB: cdc-acm: add usb id for motomagx phones Greg KH
2009-03-14  1:09   ` [patch 022/114] rtl8187: New USB IDs for RTL8187L Greg KH
2009-03-14  1:10   ` [patch 023/114] WATCHDOG: ks8695_wdt.c: CLOCK_TICK_RATE undeclared Greg KH
2009-03-14  1:10   ` [patch 024/114] WATCHDOG: rc32434_wdt: fix watchdog driver Greg KH
2009-03-14  1:10   ` [patch 025/114] WATCHDOG: rc32434_wdt: fix sections Greg KH
2009-03-14  1:10   ` [patch 026/114] RDMA/nes: Dont allow userspace QPs to use STag zero Greg KH
2009-03-14  1:10   ` [patch 027/114] USB: option: add BenQ 3g modem information Greg KH
2009-03-14  1:10   ` [patch 028/114] USB: EHCI: slow down ITD reuse Greg KH
2009-03-14  1:10   ` [patch 029/114] md: avoid races when stopping resync Greg KH
2009-03-14  1:10   ` [patch 030/114] md/raid10: Dont call bitmap_cond_end_sync when we are doing recovery Greg KH
2009-03-14  1:10   ` [patch 031/114] md/raid10: Dont skip more than 1 bitmap-chunk at a time during recovery Greg KH
2009-03-14  1:10   ` [patch 032/114] sound: virtuoso: revert "do not overwrite EEPROM on Xonar D2/D2X" Greg KH
2009-03-14  1:10   ` [patch 033/114] ALSA: usb-audio - Fix non-continuous rate detection Greg KH
2009-03-14  1:10   ` [patch 034/114] ALSA: usb-audio - Workaround for misdetected sample rate with CM6207 Greg KH
2009-03-14  1:10   ` [patch 035/114] sound: usb-audio: fix uninitialized variable with M-Audio MIDI interfaces Greg KH
2009-03-14  1:10   ` [patch 036/114] ALSA: fix excessive background noise introduced by OSS emulation rate shrink Greg KH
2009-03-14  1:10   ` [patch 037/114] ALSA: hda - Fix digital mic on dell-m4-1 and dell-m4-3 Greg KH
2009-03-14  1:10   ` [patch 038/114] ALSA: hda - add another MacBook Pro 3,1 SSID Greg KH
2009-03-14  1:10   ` [patch 039/114] ALSA: aw2: do not grab every saa7146 based device Greg KH
2009-03-14  1:10   ` [patch 040/114] acer-wmi: fix regression in backlight detection Greg KH
2009-03-14  1:10   ` [patch 041/114] vmalloc: call flush_cache_vunmap() from unmap_kernel_range() Greg KH
2009-03-14  1:10   ` [patch 042/114] Fix fixpoint divide exception in acct_update_integrals Greg KH
2009-03-14  1:10   ` [patch 043/114] 8250: fix boot hang with serial console when using with Serial Over Lan port Greg KH
2009-03-14  1:10   ` [patch 044/114] x86, vmi: TSC going backwards check in vmi clocksource Greg KH
2009-03-14  1:10   ` [patch 045/114] HID: fix bus endianity in file2alias Greg KH
2009-03-14  1:10   ` [patch 046/114] inotify: fix GFP_KERNEL related deadlock Greg KH
2009-03-14  1:10   ` [patch 047/114] sdhci: fix led naming Greg KH
2009-03-14  1:10   ` [patch 048/114] x86: oprofile: dont set counter width from cpuid on Core2 Greg KH
2009-03-14  1:10   ` [patch 049/114] x86: add Dell XPS710 reboot quirk Greg KH
2009-03-14  1:10   ` [patch 050/114] intel-agp: fix a panic with 1M of shared memory, no GTT entries Greg KH
2009-03-14  1:10   ` [patch 051/114] mtd_dataflash: fix probing of AT45DB321C chips Greg KH
2009-03-14  1:10   ` [patch 052/114] proc: fix kflags to uflags copying in /proc/kpageflags Greg KH
2009-03-14  1:10   ` [patch 053/114] fs: new inode i_state corruption fix Greg KH
2009-03-14  1:10   ` [patch 054/114] PCIe: portdrv: call pci_disable_device during remove Greg KH
2009-03-14  1:10   ` [patch 055/114] PCI: Enable PCIe AER only after checking firmware support Greg KH
2009-03-14  1:10   ` [patch 056/114] jsm: additional device support Greg KH
2009-03-14  1:10   ` [patch 057/114] libata: Dont trust current capacity values in identify words 57-58 Greg KH
2009-03-14  1:10   ` [patch 058/114] libata: make sure port is thawed when skipping resets Greg KH
2009-03-14  1:10   ` [patch 059/114] mmc: fix data timeout for SEND_EXT_CSD Greg KH
2009-03-14  1:10   ` [patch 060/114] s3cmci: Fix hangup in do_pio_write() Greg KH
2009-03-14  1:10   ` [patch 061/114] mmc: s3cmci: fix s3c2410_dma_config() arguments Greg KH
2009-03-14  1:10   ` [patch 062/114] MMC: fix bug - SDHC card capacity not correct Greg KH
2009-03-14  1:10   ` [patch 063/114] mmc_test: fix basic read test Greg KH
2009-03-14  1:10   ` [patch 064/114] x86: tone down mtrr_trim_uncached_memory() warning Greg KH
2009-03-14  1:10   ` [patch 065/114] x86-64: fix int $0x80 -ENOSYS return Greg KH
2009-03-14  1:10   ` [patch 066/114] selinux: Fix a panic in selinux_netlbl_inode_permission() Greg KH
2009-03-14  1:10   ` [patch 067/114] selinux: Fix the NetLabel glue code for setsockopt() Greg KH
2009-03-14  1:10   ` [patch 068/114] hpilo: new pci device Greg KH
2009-03-14  1:10   ` [patch 069/114] PCI: dont enable too many HT MSI mappings Greg KH
2009-03-14  7:53     ` Prakash Punnoor
2009-03-17  0:28       ` Greg KH
2009-03-14  1:10   ` [patch 070/114] x86-64: seccomp: fix 32/64 syscall hole Greg KH
2009-03-14  1:10   ` [patch 071/114] x86-64: syscall-audit: " Greg KH
2009-03-14  1:10   ` [patch 072/114] xen: disable interrupts early, as start_kernel expects Greg KH
2009-03-14  1:10   ` [patch 073/114] xen/blkfront: use blk_rq_map_sg to generate ring entries Greg KH
2009-03-14  1:10   ` [patch 074/114] asix: new device ids Greg KH
2009-03-14  1:10   ` [patch 075/114] cdc_ether: add usb id for Ericsson F3507g Greg KH
2009-03-14  1:10   ` [patch 076/114] zaurus: add usb id for motomagx phones Greg KH
2009-03-14  1:10   ` [patch 077/114] fore200: fix oops on failed firmware load Greg KH
2009-03-14  1:10   ` [patch 078/114] PCI: Add PCI quirk to disable L0s ASPM state for 82575 and 82598 Greg KH
2009-03-14  1:10   ` [patch 079/114] copy_process: fix CLONE_PARENT && parent_exec_id interaction Greg KH
2009-03-14  1:10   ` [patch 080/114] proc: fix PG_locked reporting in /proc/kpageflags Greg KH
2009-03-14  1:10   ` [patch 081/114] powerpc: Fix load/store float double alignment handler Greg KH
2009-03-14  1:10   ` [patch 082/114] sdhci: Add quirk for controllers with no end-of-busy IRQ Greg KH
2009-03-14  1:11   ` [patch 083/114] sdhci: Add NO_BUSY_IRQ quirk for Marvell CAFE host chip Greg KH
2009-03-14  1:11   ` [patch 084/114] pipe_rdwr_fasync: fix the error handling to prevent the leak/crash Greg KH
2009-03-14  1:11   ` [patch 085/114] DVB: s5h1409: Perform s5h1409 soft reset after tuning Greg KH
2009-03-14  1:11   ` [patch 086/114] V4L: tda8290: fix TDA8290 + TDA18271 initialization Greg KH
2009-03-14  1:11   ` [patch 087/114] V4L: saa7127: fix broken S-Video with saa7129 Greg KH
2009-03-14  1:11   ` [patch 088/114] V4L: ivtv: fix decoder crash regression Greg KH
2009-03-14  1:11   ` [patch 089/114] jbd2: Fix return value of jbd2_journal_start_commit() Greg KH
2009-03-14  1:11   ` [patch 090/114] Revert "ext4: wait on all pending commits in ext4_sync_fs()" Greg KH
2009-03-14  1:11   ` [patch 091/114] jbd2: Avoid possible NULL dereference in jbd2_journal_begin_ordered_truncate() Greg KH
2009-03-14  1:11   ` [patch 092/114] ext4: Fix to read empty directory blocks correctly in 64k Greg KH
2009-03-14  1:11   ` [patch 093/114] ext4: Fix lockdep warning Greg KH
2009-03-14  1:11   ` [patch 094/114] ext4: Initialize preallocation list_heads properly Greg KH
2009-03-14  1:11   ` [patch 095/114] ext4: Implement range_cyclic in ext4_da_writepages instead of write_cache_pages Greg KH
2009-03-14  1:11   ` [patch 096/114] ext4: Fix NULL dereference in ext4_ext_migrate()s error handling Greg KH
2009-03-14  1:11   ` [patch 097/114] ext4: Add fallback for find_group_flex Greg KH
2009-03-14  1:11   ` [patch 098/114] ext4: Fix deadlock in ext4_write_begin() and ext4_da_write_begin() Greg KH
2009-03-14  1:11   ` [patch 099/114] x86/paravirt: make arch_flush_lazy_mmu/cpu disable preemption Greg KH
2009-03-14  1:11   ` [patch 100/114] x86, hpet: fix for LS21 + HPET = boot hang Greg KH
2009-03-14  1:11   ` [patch 101/114] x86: math_emu info cleanup Greg KH
2009-03-14  1:11   ` [patch 102/114] x86: fix math_emu register frame access Greg KH
2009-03-14  1:11   ` [patch 103/114] ide-iops: fix odd-length ATAPI PIO transfers Greg KH
2009-03-14  1:11   ` [patch 104/114] HID: move tmff and zpff devices from ignore_list to blacklist Greg KH
2009-03-14  1:11   ` [patch 105/114] ARM: Add i2c_board_info for RiscPC PCF8583 Greg KH
2009-03-14  1:11   ` [patch 106/114] i2c: Timeouts reach -1 Greg KH
2009-03-14  1:11   ` [patch 107/114] i2c: Fix misplaced parentheses Greg KH
2009-03-14  1:11   ` [patch 108/114] ACPI: fix broken usage of name.ascii Greg KH
2009-03-14  1:11   ` [patch 109/114] ACPI: fix broken usage of acpi_ut_get_node_name() Greg KH
2009-03-14  1:11   ` [patch 110/114] crypto: api - Fix algorithm test race that broke aead initialisation Greg KH
2009-03-14  1:11   ` [patch 111/114] hwmon: (f71882fg) Hide misleading error message Greg KH
2009-03-14  1:11   ` [patch 112/114] drm/i915: Add missing userland definitions for gem init/execbuffer Greg KH
2009-03-14  1:11   ` [patch 113/114] MIPS: compat: Implement is_compat_task Greg KH
2009-03-14  1:11   ` [patch 114/114] hwmon: (it87) Properly decode -128 degrees C temperature Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090314011033.285021056@mini.kroah.org \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=eteo@redhat.com \
    --cc=jake@lwn.net \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=mkrufky@linuxtv.org \
    --cc=npiggin@suse.de \
    --cc=paulmck@linux.vnet.ibm.com \
    --cc=penberg@cs.helsinki.fi \
    --cc=rbranco@la.checkpoint.com \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=vegard.nossum@gmail.com \
    --cc=w@1wt.eu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).