Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp10447814rwl; Mon, 2 Jan 2023 02:51:30 -0800 (PST) X-Google-Smtp-Source: AMrXdXs4Jy9zd+XLr+ow0wp5abfeUD6/Hah++RCpcTzeYLROQOj/CyLkilTWiSFNUiaFQNlGxycJ X-Received: by 2002:a17:906:6807:b0:7c0:9805:4060 with SMTP id k7-20020a170906680700b007c098054060mr46268228ejr.38.1672656689891; Mon, 02 Jan 2023 02:51:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672656689; cv=none; d=google.com; s=arc-20160816; b=La4Yeq1zgrsZmeA3oxUy+8O4H1PrrX8wxOFObh66JWOkS3FO2Xjhcyyoy+cyhbEfqZ X/6bj2prjXxFn8Bn/a5ghGVx1C+8y96Dhc25krM5dtMACBHX95K9zZ5XrP4lbQjKiKFp KEYD0d1F+362zmo1pdBa8MxHoBJw+q4o1VjFw9eelAcOERVMnCqM8BaIzkd/ejXpdB6p Y5fOBEEofB0R53Yk/D8Oaiithr4zvZem/D0+8HIDVmCKDet3MUpKHt8UvVgmfOJXa1eY a8ICDUBw1hr6Fk2fg+wJn1K86fJXWQQe6FOB043cs+aSRqul/TSa5xvBi9T+X4olVV1V yINg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-signature; bh=9xe2eMFnILH/jDMx9pAFzxHyWx3I3CkIiF3DU9xLhJ8=; b=IL4xJruyCPGgN5uYUvJsMO/T1g5W+szIC3PkqK7fqmxgmY+vr92ob1H46GsX3cqpV9 k6zDUDEzqAbhAUwx87qSqtNoZynzpCckyARdLvMzdOTpRVDD7Bwo4QCpd2b0TFlHx0sM vu+vj3zPvParnTN1CKDQ6HlEjmxjmdlwwynaSQJngXxB3ovTWIlCZdvTJU5JBOle8177 hXXAao+0dYxpjpdYD/eyVHRSXgPr7AtcRbSlpYCJ1hyNc4Z2KnL1K6B3RmAnRRIPcPGo xEgR8Zl4ZNcLWCzXAqT5+RFc9Pnb2G28JFDBkTDglDMEdJNj/AO8sfFntfCRexPZdtME l6Ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=0TVeymCc; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=WsrHznqV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb16-20020a1709076d9000b007c0e240faf4si25617608ejc.344.2023.01.02.02.51.15; Mon, 02 Jan 2023 02:51:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=0TVeymCc; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=WsrHznqV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232306AbjABKjn (ORCPT + 60 others); Mon, 2 Jan 2023 05:39:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229707AbjABKjh (ORCPT ); Mon, 2 Jan 2023 05:39:37 -0500 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 038791D0; Mon, 2 Jan 2023 02:39:36 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 6936B205F5; Mon, 2 Jan 2023 10:39:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1672655975; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=9xe2eMFnILH/jDMx9pAFzxHyWx3I3CkIiF3DU9xLhJ8=; b=0TVeymCcyKqOOeieQacnsxkc9lkFjJHsY0Bx+WH8TpER8kYx6pSvC3p95SUxNqBmRJXXZu oEDQh+trA1qBRrZPcdeQ/yBTOvyd1Jd8mP0/ivtD4rN64oLaPW6fL65YsdvIr0kAcV8ns5 Ax0WsI+B+EeBeOWoLo8F6TaJLo9nAus= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1672655975; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=9xe2eMFnILH/jDMx9pAFzxHyWx3I3CkIiF3DU9xLhJ8=; b=WsrHznqV/LCPAzulNABvB/gmrJzHu2rHQcOoBbLOw1q/9xrgv/YG3zOFUhtVwZhbL4Rh4E j0zynpfNBY+XZ6Bw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 3F2F013427; Mon, 2 Jan 2023 10:39:35 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id wIbCDme0smP3WgAAMHmgww (envelope-from ); Mon, 02 Jan 2023 10:39:35 +0000 From: Vlastimil Babka To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen Cc: x86@kernel.org, "H. Peter Anvin" , patches@lists.linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Vlastimil Babka , Baoquan He , Dave Young , stable@vger.kernel.org Subject: [PATCH] x86/kexec: fix double vfree of image->elf_headers Date: Mon, 2 Jan 2023 11:39:17 +0100 Message-Id: <20230102103917.20987-1-vbabka@suse.cz> X-Mailer: git-send-email 2.39.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_SOFTFAIL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org An investigation of a "Trying to vfree() nonexistent vm area" bug occurring in arch_kimage_file_post_load_cleanup() doing a vfree(image->elf_headers) in our 5.14-based kernel yielded the following double vfree() scenario, also present in mainline: SYSCALL_DEFINE5(kexec_file_load) kimage_file_alloc_init() kimage_file_prepare_segments() arch_kexec_kernel_image_probe() kexec_image_load_default() kexec_bzImage64_ops.load() bzImage64_load() crash_load_segments() prepare_elf_headers(image, &kbuf.buffer, &kbuf.bufsz); image->elf_headers = kbuf.buffer; ret = kexec_add_buffer(&kbuf); if (ret) vfree((void *)image->elf_headers); // first vfree() if (ret) kimage_file_post_load_cleanup() vfree(image->elf_headers); // second vfree() AFAICS the scenario is possible since v5.19 commit b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") that was marked for stable and also was backported to our kernel. Fix the problem by setting the pointer to NULL after the first vfree(). Also set elf_headers_sz to 0, as kimage_file_post_load_cleanup() does. Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") Signed-off-by: Vlastimil Babka Cc: Baoquan He Cc: Dave Young Cc: --- arch/x86/kernel/crash.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c index 9730c88530fc..0d651c05a49e 100644 --- a/arch/x86/kernel/crash.c +++ b/arch/x86/kernel/crash.c @@ -403,6 +403,8 @@ int crash_load_segments(struct kimage *image) ret = kexec_add_buffer(&kbuf); if (ret) { vfree((void *)image->elf_headers); + image->elf_headers = NULL; + image->elf_headers_sz = 0; return ret; } image->elf_load_addr = kbuf.mem; -- 2.39.0