From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E35DC3DA7A for ; Mon, 2 Jan 2023 11:24:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A70928E0002; Mon, 2 Jan 2023 06:24:33 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A21098E0001; Mon, 2 Jan 2023 06:24:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8E9168E0002; Mon, 2 Jan 2023 06:24:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 806168E0001 for ; Mon, 2 Jan 2023 06:24:33 -0500 (EST) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 4CC441C605D for ; Mon, 2 Jan 2023 11:24:33 +0000 (UTC) X-FDA: 80309626026.04.F93A37D Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by imf16.hostedemail.com (Postfix) with ESMTP id 6788B180010 for ; Mon, 2 Jan 2023 11:24:31 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=W+MNNtWO; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=sl92HB9J; spf=pass (imf16.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.28 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1672658671; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=zBBA2nzNlNZSsvXhqPF5ZZXmCuwF1QaNQRQ7CORp228=; b=PJsQEHCxQrYDm7Q8qdvX3KezMvcoMs00pVcsA2E4lv6pjTZHsO8b2FLjedvpEplC5PFkd/ Jq1VqV6fc9gGPyRo3xtGj4gZ7Oc93+WRD6quo//IRUCEg34YZmAw4tkSokg5XoqdgZwmeK 7Vb7NEGikNmAnZ4WrhFtURC4Lj+PBLw= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=W+MNNtWO; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=sl92HB9J; spf=pass (imf16.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.28 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1672658671; a=rsa-sha256; cv=none; b=Mq+LfZ8foevYjUkH73YnrBUuyV5ng+4D0/GY9mbTzaaa0HyKIK3nucMLvMHfR+rbZgNOyC YXoa64OWsS7PDzDJBB9ThZ7/xDbYPXrILo+pl7YZjLnI/44Ho4YgwLZBZJM8rER5ZEk6kn 3AIcKiAgvplaaI3CjHjPsU48ZU9n6G0= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id DCF5D2256F; Mon, 2 Jan 2023 11:24:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1672658669; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zBBA2nzNlNZSsvXhqPF5ZZXmCuwF1QaNQRQ7CORp228=; b=W+MNNtWOV2kZ3FIcdAAT9QOD4LZEnFG5CFXuF3hZd1Y1eVmqAAVMO/VRayl7Z+4qhhNfD8 q4X09/cdkwSAp9J3g9lhmO3rJGO3qQDIkjOFrWxltxawKTAASUepMvFCJYXLXRoBQbG2lz 7R1UOTRaB3ZRcf0gjxXn/kyrrBHAFU8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1672658669; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zBBA2nzNlNZSsvXhqPF5ZZXmCuwF1QaNQRQ7CORp228=; b=sl92HB9JIQWiy9kLRPLV1wr2nNBaENBgI88KKooa8T8gNUHfnt76oiOZQD4eH7rLUeZ3zo YZ/rDaJ2pCWz05Ag== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id AD36E13427; Mon, 2 Jan 2023 11:24:29 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id fYyMKe2+smNRbwAAMHmgww (envelope-from ); Mon, 02 Jan 2023 11:24:29 +0000 Message-ID: Date: Mon, 2 Jan 2023 12:24:29 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Subject: Re: [PATCH] x86/kexec: fix double vfree of image->elf_headers Content-Language: en-US To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Takashi Iwai Cc: x86@kernel.org, "H. Peter Anvin" , patches@lists.linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Baoquan He , Dave Young , stable@vger.kernel.org References: <20230102103917.20987-1-vbabka@suse.cz> From: Vlastimil Babka In-Reply-To: <20230102103917.20987-1-vbabka@suse.cz> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 6788B180010 X-Stat-Signature: ur3o3qg81tms3x4c6zetos5f4mpj7gtg X-HE-Tag: 1672658671-458534 X-HE-Meta: U2FsdGVkX18h27kiQVOz6J+p8Yw2rTbIIjFewIH53+qtcE/PlCqnjzm0qn0CuFCoOTNK71YyRt+ysgm1XBGX4u+Nmon8LmvhlNsl8GNsYkCoX2O0QMPloYdiTboSDdp8ALlx6RlELol1ffiTWsWNsIWleQM657Jy6gBwfeZPLGemH7Siq6YaCsU7XC0wvR9l3vfhXvl+8s3SMuDgYUyWfokUJP+8aZpIeGfrQW77GJN0R4udeXhmQ7hM075ouRP7xBqgzMDVBOVa/mTe1M3CDa7g1W88UmSTusIuMmcunTC+m8QUuNiZ+8tuZ9OJ1N9akWaZBB3yicvfhT3SvegnkGEtA715tdwzMiROPva+yTXu/q0Qwdmu8lfBtEaPP09rtU/HVa7pWHj3wPn11tLg13k5rBdv0k7pY7pUw/R8LJzzFbJ3/3Fod80Mxf8X3q30WhqVAHrqJrGi547Z1Hhxz8A1b0+2uC67AeEzZLvz3C/ryiCkTAcvTVXo5o9YoX4ReZqkycSFCcmsDhDrmsyf+yoqXFaQYi6bAiHPlrY/Tpj5B8ou6NziIsTDcfQikMwfXH15dE1q52E1ACexNKpgRAqEBI93KSWuOGH48mFe4Vw50+7+WLEicEFDFa///7FVhGLu6pozvCN4XnTGJsm6xcuvyC9gffKZNOp54/0PgaB1smRHIgUWjFZ5TnmlymTXGoDnJVfQG4ecXpLKMb+6pBuhaRQTU1KRuAp6aOdu1mC0V3I3GdJcfVJBSUGQsCoS+8jJVS2EyzxgPWHMpSUHWGLbbj3nGb0BQz+gsV/lYrDAJ/8SUKNn2q2k7F3GO8WuWKOFHSP37VdjljLYBhKwgQCrKJWpVbMhPUjkzzfstgX9qne2TuPD+pWclQ1aP+TBbtt4pRCNtXHcPRLo7qc2jmbZd+fg93Hj6FpbPRUzLe0fPwqLKVtxG56PfoMVy31kxdzl0ueNYbYZ4wnDAUn j+A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 1/2/23 11:39, Vlastimil Babka wrote: > An investigation of a "Trying to vfree() nonexistent vm area" bug > occurring in arch_kimage_file_post_load_cleanup() doing a > vfree(image->elf_headers) in our 5.14-based kernel yielded the following > double vfree() scenario, also present in mainline: > > SYSCALL_DEFINE5(kexec_file_load) > kimage_file_alloc_init() > kimage_file_prepare_segments() > arch_kexec_kernel_image_probe() > kexec_image_load_default() > kexec_bzImage64_ops.load() > bzImage64_load() > crash_load_segments() > prepare_elf_headers(image, &kbuf.buffer, &kbuf.bufsz); > image->elf_headers = kbuf.buffer; > ret = kexec_add_buffer(&kbuf); > if (ret) vfree((void *)image->elf_headers); // first vfree() > if (ret) kimage_file_post_load_cleanup() > vfree(image->elf_headers); // second vfree() > > AFAICS the scenario is possible since v5.19 commit b3e34a47f989 > ("x86/kexec: fix memory leak of elf header buffer") that was marked for > stable and also was backported to our kernel. > > Fix the problem by setting the pointer to NULL after the first vfree(). > Also set elf_headers_sz to 0, as kimage_file_post_load_cleanup() does. > > Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") > Signed-off-by: Vlastimil Babka > Cc: Baoquan He > Cc: Dave Young > Cc: Takashi told me he sent a slightly different fix already in November: https://lore.kernel.org/all/20221122115122.13937-1-tiwai@suse.de/ Seems it wasn't picked up? You might pick his then, as Baoquan acked it, and it's removing code, not adding it. > --- > arch/x86/kernel/crash.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c > index 9730c88530fc..0d651c05a49e 100644 > --- a/arch/x86/kernel/crash.c > +++ b/arch/x86/kernel/crash.c > @@ -403,6 +403,8 @@ int crash_load_segments(struct kimage *image) > ret = kexec_add_buffer(&kbuf); > if (ret) { > vfree((void *)image->elf_headers); > + image->elf_headers = NULL; > + image->elf_headers_sz = 0; > return ret; > } > image->elf_load_addr = kbuf.mem;