Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp10500247rwl; Mon, 2 Jan 2023 03:48:23 -0800 (PST) X-Google-Smtp-Source: AMrXdXs8i4yOA/v02txzm+ARdF33UjAssKN83Z6XA2KbIsswRl2HdQqYqYshB3Wt1/bY4HN91XY4 X-Received: by 2002:a17:903:4055:b0:192:8641:c196 with SMTP id n21-20020a170903405500b001928641c196mr22028719pla.14.1672660102881; Mon, 02 Jan 2023 03:48:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672660102; cv=none; d=google.com; s=arc-20160816; b=WHFHm3VkNHEQn4XH3CFERS/6lXBXbtn2rf4FHfP6ktMg6ykv2+cqDrE33Twmki9+eo BOlxyOF9XCnqGVPkuUL+OkeT57bZlrOG3PYXpJAkIXVPlLhPDi5ZSoRP2MN00empjIMJ g/1nIMcW7t2MbBI1EFS/8uf+NldZ7Tsi2T7xXFolo+5CWS5G1ecF7QJpSHN0dRbOFO35 UjbPUhNlXHwv2i8zhWFw14SS/uu97z0HEs4vqyl2yELyL7sxkOXS1Gnt0sUCz5PjcLaL 5tkG15mZ9bnwbeJsuxfExhTSVJoaE5kDzFydg6w8qf1/aiqjwUE07/IjOma2B5ypSS1c wHZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature:dkim-signature; bh=zBBA2nzNlNZSsvXhqPF5ZZXmCuwF1QaNQRQ7CORp228=; b=Zu4SHa8JSNT5HyZqLl/U3rIemauGiv6RHvACxZHKUCyg4Dab3Qdt39FjX3QIzBIYny vDWAh0UJmYJ5qvYTqc4cdPtNOitKddSylx+hShJGhAHSSVPnqmBzT6wuwvvcddCF8gYK IT2t6wAAfzk7HgZC+4uEL/7d4eibucjIqk9l42CjJDAlMG567LrQadM65GQIh4EE50gM RjOy4dzlhg5JMZVcRbzuV/gRC3E5vldWguVKnlRgGWeXclcDYELSafkmzK5ep/aFTfoj aG4MUCK42fq0jlQEEwLksCLvE4SEFK/6D/Wc0icr+WLo8zWKTDq6nzNg+09FGoxb7+U9 YhwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=W+MNNtWO; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=sl92HB9J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b14-20020a170902650e00b00188a7401d89si28195147plk.481.2023.01.02.03.48.15; Mon, 02 Jan 2023 03:48:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=W+MNNtWO; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=sl92HB9J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232909AbjABL0T (ORCPT + 60 others); Mon, 2 Jan 2023 06:26:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232752AbjABLZh (ORCPT ); Mon, 2 Jan 2023 06:25:37 -0500 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42CA4657D; Mon, 2 Jan 2023 03:24:31 -0800 (PST) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id DCF5D2256F; Mon, 2 Jan 2023 11:24:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1672658669; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zBBA2nzNlNZSsvXhqPF5ZZXmCuwF1QaNQRQ7CORp228=; b=W+MNNtWOV2kZ3FIcdAAT9QOD4LZEnFG5CFXuF3hZd1Y1eVmqAAVMO/VRayl7Z+4qhhNfD8 q4X09/cdkwSAp9J3g9lhmO3rJGO3qQDIkjOFrWxltxawKTAASUepMvFCJYXLXRoBQbG2lz 7R1UOTRaB3ZRcf0gjxXn/kyrrBHAFU8= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1672658669; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zBBA2nzNlNZSsvXhqPF5ZZXmCuwF1QaNQRQ7CORp228=; b=sl92HB9JIQWiy9kLRPLV1wr2nNBaENBgI88KKooa8T8gNUHfnt76oiOZQD4eH7rLUeZ3zo YZ/rDaJ2pCWz05Ag== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id AD36E13427; Mon, 2 Jan 2023 11:24:29 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id fYyMKe2+smNRbwAAMHmgww (envelope-from ); Mon, 02 Jan 2023 11:24:29 +0000 Message-ID: Date: Mon, 2 Jan 2023 12:24:29 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Subject: Re: [PATCH] x86/kexec: fix double vfree of image->elf_headers Content-Language: en-US To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Takashi Iwai Cc: x86@kernel.org, "H. Peter Anvin" , patches@lists.linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Baoquan He , Dave Young , stable@vger.kernel.org References: <20230102103917.20987-1-vbabka@suse.cz> From: Vlastimil Babka In-Reply-To: <20230102103917.20987-1-vbabka@suse.cz> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_SOFTFAIL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/2/23 11:39, Vlastimil Babka wrote: > An investigation of a "Trying to vfree() nonexistent vm area" bug > occurring in arch_kimage_file_post_load_cleanup() doing a > vfree(image->elf_headers) in our 5.14-based kernel yielded the following > double vfree() scenario, also present in mainline: > > SYSCALL_DEFINE5(kexec_file_load) > kimage_file_alloc_init() > kimage_file_prepare_segments() > arch_kexec_kernel_image_probe() > kexec_image_load_default() > kexec_bzImage64_ops.load() > bzImage64_load() > crash_load_segments() > prepare_elf_headers(image, &kbuf.buffer, &kbuf.bufsz); > image->elf_headers = kbuf.buffer; > ret = kexec_add_buffer(&kbuf); > if (ret) vfree((void *)image->elf_headers); // first vfree() > if (ret) kimage_file_post_load_cleanup() > vfree(image->elf_headers); // second vfree() > > AFAICS the scenario is possible since v5.19 commit b3e34a47f989 > ("x86/kexec: fix memory leak of elf header buffer") that was marked for > stable and also was backported to our kernel. > > Fix the problem by setting the pointer to NULL after the first vfree(). > Also set elf_headers_sz to 0, as kimage_file_post_load_cleanup() does. > > Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") > Signed-off-by: Vlastimil Babka > Cc: Baoquan He > Cc: Dave Young > Cc: Takashi told me he sent a slightly different fix already in November: https://lore.kernel.org/all/20221122115122.13937-1-tiwai@suse.de/ Seems it wasn't picked up? You might pick his then, as Baoquan acked it, and it's removing code, not adding it. > --- > arch/x86/kernel/crash.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c > index 9730c88530fc..0d651c05a49e 100644 > --- a/arch/x86/kernel/crash.c > +++ b/arch/x86/kernel/crash.c > @@ -403,6 +403,8 @@ int crash_load_segments(struct kimage *image) > ret = kexec_add_buffer(&kbuf); > if (ret) { > vfree((void *)image->elf_headers); > + image->elf_headers = NULL; > + image->elf_headers_sz = 0; > return ret; > } > image->elf_load_addr = kbuf.mem;