modprobe pcrypt; rmmod pcrypt ==>
[ 76.081639] calling pcrypt_init+0x0/0x107 [pcrypt] @ 3016
Nov 3 13:02:15 control kernel: [ 76.089883] initcall pcrypt_init+0x0/0x107 [pcrypt] returned 0 after 2476 usecs
[ 76.081639] calling pcrypt_i
[ 79.940445] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 79.946419] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.1/usb3/3-1/3-1.3/devnum
[ 79.954652] CPU 0
[ 79.954652] Modules linked in: pcrypt(-) ipt_MASQUERADE iptable_nat nf_nat af_packet nfsd lockd nfs_acl auth_rpcgss exportfs sco bridge stp llc bnep l2cap crc16 bluetooth rfkill sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables ipv6 p4_clockmod freq_table speedstep_lib binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath scsi_dh dm_mod kvm uinput mousedev joydev snd_intel8x0 snd_ac97_codec ppdev ac97_bus snd_seq snd_seq_device usbmouse snd_pcm led_class usbkbd usbhid hid iTCO_wdt snd_timer iTCO_vendor_support tg3 snd sr_mod dcdbas sg soundcore rng_core cdrom pcspkr parport_pc i2c_i801 rtc_cmos snd_page_alloc evdev shpchp rtc_core parport rtc_lib
mac_hid pci_hotplug 8250_pnp unix ide_pci_generic ide_core ata_generic pata_acpi ata_piix sd_mod crc_t10dif ext3 jbd mbcache uhci_hcd ohci_hcd ssb mmc_core pcmcia pcmcia_core firmware_class!
ehci_hcd usbcore nls_base i915 drm_kms_helper intel_agp button intel_gtt video thermal_sys hwmon output [last unloaded: mperf]
[ 80.054943]
[ 80.058247] Pid: 3074, comm: rmmod Not tainted 2.6.37-rc1 #7 0HH807/OptiPlex GX620
[ 80.058247] RIP: 0010:[<ffffffff810c3a98>] [<ffffffff810c3a98>] __lock_acquire+0x131/0x4e8
[ 80.058247] RSP: 0018:ffff88006d0b9cd8 EFLAGS: 00010002
[ 80.058247] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88006d3c93c8 RCX: 0000000000000000
[ 80.058247] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88006d3c93c8
[ 80.058247] RBP: ffff88006d0b9d38 R08: 0000000000000001 R09: 0000000000000000
[ 80.058247] R10: ffff88006d0b9ea8 R11: ffff88007c002c80 R12: 0000000000000000
[ 80.058247] R13: ffff88006c5f8000 R14: 0000000000000000 R15: 0000000000000000
[ 80.058247] FS: 00007f6fed3ba6f0(0000) GS:ffff88007c600000(0000) knlGS:0000000000000000
[ 80.058247] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 80.058247] CR2: 0000000000627410 CR3: 000000006d047000 CR4: 00000000000006f0
[ 80.058247] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 80.058247] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 80.058247] Process rmmod (pid: 3074, threadinfo ffff88006d0b8000, task ffff88006c5f8000)
[ 80.058247] Stack:
[ 80.058247] ffff88006d3c9240 ffffea00017e53c0 ffffffff81158ccc ffffea00017e10d0
[ 80.058247] ffff88006d0b9d38 000000007c002640 ffff88006d2963c8 0000000000000000
[ 80.173526] ffff88006c5f8000 ffffffff81158c28 0000000000000001 0000000000000000
[ 80.184364] Call Trace:
[ 80.185803] [<ffffffff81158ccc>] ? padata_sysfs_release+0x4/0x25
[ 80.185803] [<ffffffff81158c28>] ? padata_stop+0x27/0x51
[ 80.185803] [<ffffffff810c3f4f>] lock_acquire+0x100/0x150
[ 80.200956] [<ffffffff81158c28>] ? padata_stop+0x27/0x51
[ 80.205967] [<ffffffff81158c28>] ? padata_stop+0x27/0x51
[ 80.205967] [<ffffffff8154e90b>] __mutex_lock_common+0x45/0x658
[ 80.222282] [<ffffffff81158c28>] ? padata_stop+0x27/0x51
[ 80.226676] [<ffffffff811b32a2>] ? free_debug_processing+0x245/0x27d
[ 80.237637] [<ffffffffa003db0c>] ? pcrypt_fini_padata+0x4a/0x96 [pcrypt]
[ 80.249091] [<ffffffff811b3493>] ? __slab_free+0x1b9/0x1d6
[ 80.257880] [<ffffffff8154f020>] mutex_lock_nested+0x4e/0x5a
[ 80.257880] [<ffffffff81158c28>] padata_stop+0x27/0x51
[ 80.273324] [<ffffffffa003db1b>] pcrypt_fini_padata+0x59/0x96 [pcrypt]
[ 80.283024] [<ffffffffa003df60>] pcrypt_exit+0x1c/0x5e [pcrypt]
[ 80.290927] [<ffffffff810d3cb0>] sys_delete_module+0x2d6/0x368
[ 80.298370] [<ffffffff8155036b>] ? lockdep_sys_exit_thunk+0x35/0x67
[ 80.305282] [<ffffffff810fdfaf>] ? audit_syscall_entry+0x172/0x1a5
[ 80.313996] [<ffffffff815502f5>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 80.313996] [<ffffffff8100ea72>] system_call_fastpath+0x16/0x1b
[ 80.333600] Code: ff 05 8d 1b 72 01 44 89 4d c0 e8 a4 db ff ff 48 ff 05 85 1b 72 01 48 85 c0 44 8b 4d c0 75 0c 48 ff 05 7d 1b 72 01 e9 a8 03 00 00 <f0> ff 80 98 01 00 00 8b 35 4b 18 f9 00 48 ff 05 6c 1b 72 01 45
[ 80.355817] RIP [<ffffffff810c3a98>] __lock_acquire+0x131/0x4e8
[ 80.359975] RSP <ffff88006d0b9cd8>
[ 80.371613] ---[ end trace 8f6f53761e872c8f ]---
control kernel:
control kernel: [ 80.305282] [<ffffffff810fdfaf>] ? audit_syscall_entry+0x172/0x1a5
kernel config file is attached (nearly allmodconfig).
There is a chance of some CONFIG that is not helpful...
---
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***
On Wed, Nov 03, 2010 at 02:15:19PM -0700, Randy Dunlap wrote:
>
> modprobe pcrypt; rmmod pcrypt ==>
>
>
> [ 76.081639] calling pcrypt_init+0x0/0x107 [pcrypt] @ 3016
> Nov 3 13:02:15 control kernel: [ 76.089883] initcall pcrypt_init+0x0/0x107 [pcrypt] returned 0 after 2476 usecs
> [ 76.081639] calling pcrypt_i
>
>
> [ 79.940445] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
Looks like a use after free of the padata instance.
Does the patch below fix it?
Thanks for reporting,
Steffen
Subject: [PATCH] crypto: pcrypt - Fix use after free on padata_free
kobject_put is called from padata_free for the padata kobject.
The kobject's release function frees the padata instance,
so don't call kobject_put for the padata kobject from pcrypt.
Signed-off-by: Steffen Klassert <[email protected]>
---
crypto/pcrypt.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
index de30782..75586f1 100644
--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -504,7 +504,6 @@ err:
static void pcrypt_fini_padata(struct padata_pcrypt *pcrypt)
{
- kobject_put(&pcrypt->pinst->kobj);
free_cpumask_var(pcrypt->cb_cpumask->mask);
kfree(pcrypt->cb_cpumask);
--
1.7.0.4
On 11/10/10 03:21, Steffen Klassert wrote:
> On Wed, Nov 03, 2010 at 02:15:19PM -0700, Randy Dunlap wrote:
>>
>> modprobe pcrypt; rmmod pcrypt ==>
>>
>>
>> [ 76.081639] calling pcrypt_init+0x0/0x107 [pcrypt] @ 3016
>> Nov 3 13:02:15 control kernel: [ 76.089883] initcall pcrypt_init+0x0/0x107 [pcrypt] returned 0 after 2476 usecs
>> [ 76.081639] calling pcrypt_i
>>
>>
>> [ 79.940445] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
>
> Looks like a use after free of the padata instance.
> Does the patch below fix it?
Yes, it does. Thanks.
Tested-by: Randy Dunlap <[email protected]>
> Thanks for reporting,
>
> Steffen
>
>
> Subject: [PATCH] crypto: pcrypt - Fix use after free on padata_free
>
> kobject_put is called from padata_free for the padata kobject.
> The kobject's release function frees the padata instance,
> so don't call kobject_put for the padata kobject from pcrypt.
>
> Signed-off-by: Steffen Klassert <[email protected]>
> ---
> crypto/pcrypt.c | 1 -
> 1 files changed, 0 insertions(+), 1 deletions(-)
>
> diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
> index de30782..75586f1 100644
> --- a/crypto/pcrypt.c
> +++ b/crypto/pcrypt.c
> @@ -504,7 +504,6 @@ err:
>
> static void pcrypt_fini_padata(struct padata_pcrypt *pcrypt)
> {
> - kobject_put(&pcrypt->pinst->kobj);
> free_cpumask_var(pcrypt->cb_cpumask->mask);
> kfree(pcrypt->cb_cpumask);
>
--
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***