From patchwork Mon Jan 2 10:39:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlastimil Babka X-Patchwork-Id: 13086632 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01AA0C46467 for ; Mon, 2 Jan 2023 10:39:40 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4EC738E0002; Mon, 2 Jan 2023 05:39:40 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 49DD58E0001; Mon, 2 Jan 2023 05:39:40 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3646F8E0002; Mon, 2 Jan 2023 05:39:40 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 289068E0001 for ; Mon, 2 Jan 2023 05:39:40 -0500 (EST) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id BF57180374 for ; Mon, 2 Jan 2023 10:39:39 +0000 (UTC) X-FDA: 80309512878.18.5EB9D1D Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by imf15.hostedemail.com (Postfix) with ESMTP id 0F764A000A for ; Mon, 2 Jan 2023 10:39:36 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=0TVeymCc; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=WsrHznqV; spf=pass (imf15.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1672655977; a=rsa-sha256; cv=none; b=l+WQfIPMmDw85x4qJR3sNWUWOxXODMbZQkj+QcCQzEoi11JlswSdwXrP5AnZruaVq5zi33 rVRknD/H+vg68R69MJiSzoJ0N26J46oRS/X4wcc2YdbOPjDWI8ytMiGI0AKscLkT2n/ol9 DDMpTUIRTl3Nbo0Gz1DxJAD7WKh70ig= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=0TVeymCc; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=WsrHznqV; spf=pass (imf15.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1672655977; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=9xe2eMFnILH/jDMx9pAFzxHyWx3I3CkIiF3DU9xLhJ8=; b=rwZXuDizxNAUbjkJiyJ63Q49Z5pLqlbt3KLfjHQgiE9kCKavUuCB+qp+Rc2rf9/52Ei4/a EF0iOAVV1+nj8mY+mlcXc2STaghmwH7NCV/p9ZQKG2qnL17WddXdOk/Hc7IZbxZsWtIlES iohtM7+lGoX4b3RxWUSTLEt0kCFjdDI= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 6936B205F5; Mon, 2 Jan 2023 10:39:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1672655975; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=9xe2eMFnILH/jDMx9pAFzxHyWx3I3CkIiF3DU9xLhJ8=; b=0TVeymCcyKqOOeieQacnsxkc9lkFjJHsY0Bx+WH8TpER8kYx6pSvC3p95SUxNqBmRJXXZu oEDQh+trA1qBRrZPcdeQ/yBTOvyd1Jd8mP0/ivtD4rN64oLaPW6fL65YsdvIr0kAcV8ns5 Ax0WsI+B+EeBeOWoLo8F6TaJLo9nAus= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1672655975; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=9xe2eMFnILH/jDMx9pAFzxHyWx3I3CkIiF3DU9xLhJ8=; b=WsrHznqV/LCPAzulNABvB/gmrJzHu2rHQcOoBbLOw1q/9xrgv/YG3zOFUhtVwZhbL4Rh4E j0zynpfNBY+XZ6Bw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 3F2F013427; Mon, 2 Jan 2023 10:39:35 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id wIbCDme0smP3WgAAMHmgww (envelope-from ); Mon, 02 Jan 2023 10:39:35 +0000 From: Vlastimil Babka To: Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen Cc: x86@kernel.org, "H. Peter Anvin" , patches@lists.linux.dev, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Vlastimil Babka , Baoquan He , Dave Young , stable@vger.kernel.org Subject: [PATCH] x86/kexec: fix double vfree of image->elf_headers Date: Mon, 2 Jan 2023 11:39:17 +0100 Message-Id: <20230102103917.20987-1-vbabka@suse.cz> X-Mailer: git-send-email 2.39.0 MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Queue-Id: 0F764A000A X-Rspamd-Server: rspam01 X-Stat-Signature: j31dtcpcjyuzgbwg1qzbbxfrwi4kphnf X-HE-Tag: 1672655976-742503 X-HE-Meta: U2FsdGVkX1+N6WAqaJ9SSEPmYAWevuBVSVguW8yHFZJLx7R3DpvV00KXuCopNLimbA53JNxyypasXJSSQ8r4F+LHWGjgcprwWkZUhZEmr2J2OsS8so/qT0Do0tBW3b0bElhEysbs7/6c5GAsaxk7AGFBkZNwkM+Pug2x9ssG35kNFudBWeb+AsvI1zGy9x7CP0dF7zUKhYWL2a8CZu9m/O+m9y7/+medxd/ceM/QSbuJMxoyDzKK/cFoso/0vm6wxrZHFxUDo6iXPJpKgtitmRl+s6kCpiECtmcV4kCo2s/eeCSIU2IvH4r3ddnbSIPyhUOn1fmapzFQb5AFkAdAVnC1b64mNAwbgwHCPmXw+A9cbL8G18FfMtX4KvFHLvxOM4aD/yMqrUQJ4mY/vySjnqbUeWtCQ4ZMac5IP1M23tQhc4U0QUW37bdCqFqotK53wNlcJzSQodSyODexbVXFbhKMJ7X+fO2XwYQ3B1KLOyJEInaCDKi7JQ9mnSAl2jUiGmje7z9Q0jBB3ycNhOchCoUZ+if6Hh97qBZww4MtkZwNBREiQTSgFlDcxqgF+GOfBvRLs+NXsHdnvdx+hBjXK0V8oYOodfh6jAo7JNDsfFdee1K/+Zyt1Psou+VcG6tidnIkBcc9NdeXRNMDaoTZKE2vx0NzTDkYR+i/I7E8soA3ddLU6jzON4/O2V1PlOm4DKv6+2EczWNDd0e2rqhtiaKkzMnOivHnlJnWJXvdAPW18V/OT1xlo2AyT4ritqoopsqOwzNBGzuBY1ry+l6MFlzYqaCD0wG/Ah2kQyU4hjlP0L0S9ORiSPe/sNl3HaPrOVWd52JtSrafFgyif0DGTj5WERQdmczA8KM2Z2R+iIKij2mQZvexbyy02XDIwFv49s6+vceEsDazqcAOGavQiXx4/z1O+KEFZlcGse5GJEoAgi7BjTJAK8BrYCDWTULRDM2zvuQhEDrSjEvEppv 864MonPH J33z364mJPzq2X/zrRDeCmzUhNg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: An investigation of a "Trying to vfree() nonexistent vm area" bug occurring in arch_kimage_file_post_load_cleanup() doing a vfree(image->elf_headers) in our 5.14-based kernel yielded the following double vfree() scenario, also present in mainline: SYSCALL_DEFINE5(kexec_file_load) kimage_file_alloc_init() kimage_file_prepare_segments() arch_kexec_kernel_image_probe() kexec_image_load_default() kexec_bzImage64_ops.load() bzImage64_load() crash_load_segments() prepare_elf_headers(image, &kbuf.buffer, &kbuf.bufsz); image->elf_headers = kbuf.buffer; ret = kexec_add_buffer(&kbuf); if (ret) vfree((void *)image->elf_headers); // first vfree() if (ret) kimage_file_post_load_cleanup() vfree(image->elf_headers); // second vfree() AFAICS the scenario is possible since v5.19 commit b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") that was marked for stable and also was backported to our kernel. Fix the problem by setting the pointer to NULL after the first vfree(). Also set elf_headers_sz to 0, as kimage_file_post_load_cleanup() does. Fixes: b3e34a47f989 ("x86/kexec: fix memory leak of elf header buffer") Signed-off-by: Vlastimil Babka Cc: Baoquan He Cc: Dave Young Cc: --- arch/x86/kernel/crash.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kernel/crash.c b/arch/x86/kernel/crash.c index 9730c88530fc..0d651c05a49e 100644 --- a/arch/x86/kernel/crash.c +++ b/arch/x86/kernel/crash.c @@ -403,6 +403,8 @@ int crash_load_segments(struct kimage *image) ret = kexec_add_buffer(&kbuf); if (ret) { vfree((void *)image->elf_headers); + image->elf_headers = NULL; + image->elf_headers_sz = 0; return ret; } image->elf_load_addr = kbuf.mem;