lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Jun 2010 09:58:35 +0800 From: Xiaotian Feng <dfeng@...hat.com> To: Marcin Slusarz <marcin.slusarz@...il.com> CC: Dan Carpenter <error27@...il.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, Venkatesh Pallipadi <venkatesh.pallipadi@...el.com>, Jack Steiner <steiner@....com>, Suresh Siddha <suresh.b.siddha@...el.com>, linux-kernel@...r.kernel.org, x86@...nel.org Subject: Re: [patch] x86, pat: freeing invalid memtype messages On 06/18/2010 12:17 AM, Marcin Slusarz wrote: > On Thu, Jun 17, 2010 at 03:45:59PM +0200, Dan Carpenter wrote: >> Commit 20413f27163 "x86, pat: Fix memory leak in free_memtype" added an >> error message in free_memtype() if rbt_memtype_erase() returns NULL. >> The problem is that if CONFIG_X86_PAT is enabled, we use a different >> implimentation of rbt_memtype_erase() that always returns NULL. >> >> I've modified rbt_memtype_erase() to return an ERR_PTR() on errors and >> made free_memtype() check for that instead. >> >> Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=16205 >> >> Signed-off-by: Dan Carpenter<error27@...il.com> > > This patch is probably ok, but it does not address my bug. > I have CONFIG_X86_PAT=y, so rbt_memtype_erase does not always return NULL. The reason for the warning "swapper:1 freeing invalid memtype \ bf799000-bf79a000" could be two callers reserved "bf799000 - bf79a000". The two callers has the same reserve area and same memtype, so the sencond caller will also success to reserve "bf799000 - bf79a000". But at the free stage, if one caller freed "bf799000 - bf79a000", then another caller is trying to free "bf799000 - bf79a000", can not find it in the rbtree, so pop up an invalid memtype. > >> diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c >> index acc15b2..81b7735 100644 >> --- a/arch/x86/mm/pat.c >> +++ b/arch/x86/mm/pat.c >> @@ -359,10 +359,10 @@ int free_memtype(u64 start, u64 end) >> entry = rbt_memtype_erase(start, end); >> spin_unlock(&memtype_lock); >> >> - if (!entry) { >> + if (IS_ERR(entry)) { >> printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n", >> current->comm, current->pid, start, end); >> - return -EINVAL; >> + return PTR_ERR(entry); >> } >> >> kfree(entry); >> diff --git a/arch/x86/mm/pat_rbtree.c b/arch/x86/mm/pat_rbtree.c >> index f537087..90e5cbe 100644 >> --- a/arch/x86/mm/pat_rbtree.c >> +++ b/arch/x86/mm/pat_rbtree.c >> @@ -236,8 +236,10 @@ struct memtype *rbt_memtype_erase(u64 start, u64 end) >> struct memtype *data; >> >> data = memtype_rb_exact_match(&memtype_rbroot, start, end); >> - if (!data) >> + if (!data) { >> + data = ERR_PTR(-EINVAL); >> goto out; >> + } >> >> rb_erase(&data->rb,&memtype_rbroot); >> out: >> >> > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists