Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Ubuntu Kernel Team (http://www.linux-archive.org/ubuntu-kernel-team/)
-   -   APPLIED: SRU: Fix OMG how did this ever work (32bit) (http://www.linux-archive.org/ubuntu-kernel-team/542830-applied-sru-fix-omg-how-did-ever-work-32bit.html)

Tim Gardner 06-22-2011 01:57 PM
APPLIED: SRU: Fix OMG how did this ever work (32bit)
 
On 06/22/2011 07:42 AM, Stefan Bader wrote:

After Andy's feedback and looking a bit closer to what the 2.6.24
version of the file looks like, it seems that it is probably better
to refrain from changing too much code.

IOW it is better to look like 2.6.24 than like the 2.6.18 xen repo
we can check against.

This does actually reduce the changes to a few things that are much
simpler to look at. So I split the changes into three indipendant
findings. The first two are more theoretical but probably best fixed
right now when I remember.

The last one is the actual issue in pgd_dtor.

-Stefan

From e06452cbeb90be8fa2cb8752c6661b7443e5f834 Mon Sep 17 00:00:00 2001
From: Stefan Bader<stefan.bader@canonical.com>
Date: Wed, 22 Jun 2011 14:34:18 +0200
Subject: [PATCH] UBUNTU: xen: Fix memory corruption caused by double free

The Xen patches missed to exclude a section in pgd_dtor which causes
pgds which are freed on a quicklist trim to be unlinked from the
pgd_list for a second time. This causes memory coruption in struct pages
which possible are not even related to pgds.

Beside of this, a possible NULL pointer access and potential unbalanced
function call to xen_destroy_region get fixed.

BugLink: http://bugs.launchpad.net/bugs/705562

Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
---
...n-Check-for-NULL-pointer-before-using-pgd.patch | 37 +++++++++++++++++
...xen_destroy_contiguous_region-only-needed.patch | 37 +++++++++++++++++
...Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch | 43 ++++++++++++++++++++
3 files changed, 117 insertions(+), 0 deletions(-)
create mode 100644 debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch
create mode 100644 debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch
create mode 100644 debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch

diff --git a/debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch b/debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch
new file mode 100644
index 0000000..5faf99a
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/022-UBUNTU-xen-Check-for-NULL-pointer-before-using-pgd.patch
@@ -0,0 +1,37 @@
+From 310f9650b26f889008ae5210ed7cadb9dcb5e39f Mon Sep 17 00:00:00 2001
+From: Stefan Bader<stefan.bader@canonical.com>
+Date: Tue, 21 Jun 2011 09:48:56 +0200
+Subject: [PATCH 21/23] UBUNTU: xen: Check for NULL pointer before using pgd
+
+In pgd_alloc(), the test for the new pgd being NULL is done
+after it has already been used for test_and_unpin(). Do that
+check before.
+
+BugLink: http://bugs.launchpad.net/bugs/705562
+
+Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
+---
+ arch/x86/mm/pgtable_32-xen.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/arch/x86/mm/pgtable_32-xen.c b/arch/x86/mm/pgtable_32-xen.c
+index 74a2e57..48242aa 100644
+--- a/arch/x86/mm/pgtable_32-xen.c
++++ b/arch/x86/mm/pgtable_32-xen.c
+@@ -345,9 +345,12 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
+ pmd_t **pmds = NULL;
+ unsigned long flags;
+
++ if (!pgd)
++ return NULL;
++
+ pgd_test_and_unpin(pgd);
+
+- if (PTRS_PER_PMD == 1 || !pgd)
++ if (PTRS_PER_PMD == 1)
+ return pgd;
+
+ #ifdef CONFIG_XEN
+--
+1.7.4.1
+
diff --git a/debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch b/debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch
new file mode 100644
index 0000000..bb3670a
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/023-UBUNTU-xen-xen_destroy_contiguous_region-only-needed.patch
@@ -0,0 +1,37 @@
+From 6a622c376c715a04d245bb3ca1f7910680b8165c Mon Sep 17 00:00:00 2001
+From: Stefan Bader<stefan.bader@canonical.com>
+Date: Wed, 22 Jun 2011 12:06:51 +0200
+Subject: [PATCH 22/23] UBUNTU: xen: xen_destroy_contiguous_region only needed in unshared case
+
+The call to create is only done for !SHARED_KERNEL_PMD, so only destroy
+in that case (also this is only useful when CONFIG_XEN is set.
+
+BugLink: http://bugs.launchpad.net/bugs/705562
+
+Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
+---
+ arch/x86/mm/pgtable_32-xen.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/mm/pgtable_32-xen.c b/arch/x86/mm/pgtable_32-xen.c
+index 48242aa..49e28e7 100644
+--- a/arch/x86/mm/pgtable_32-xen.c
++++ b/arch/x86/mm/pgtable_32-xen.c
+@@ -473,8 +473,12 @@ void pgd_free(pgd_t *pgd)
+ pmd_cache_free(pmd, i);
+ }
+
+- if (!xen_feature(XENFEAT_pae_pgdir_above_4gb))
+- xen_destroy_contiguous_region((unsigned long)pgd, 0);
++#ifdef CONFIG_XEN
++ if (!SHARED_KERNEL_PMD)
++ if (!xen_feature(XENFEAT_pae_pgdir_above_4gb))
++ xen_destroy_contiguous_region(
++ (unsigned long)pgd, 0);
++#endif
+ }
+
+ /* in the non-PAE case, free_pgtables() clears user pgd entries */
+--
+1.7.4.1
+
diff --git a/debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch b/debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch
new file mode 100644
index 0000000..0c65d36
--- /dev/null
+++ b/debian/binary-custom.d/xen/patchset/024-UBUNTU-xen-Do-not-call-pgd_list_del-in-pgd_dtor-for-.patch
@@ -0,0 +1,43 @@
+From b70dad384c6b97b30a11838989364bb5946922cf Mon Sep 17 00:00:00 2001
+From: Stefan Bader<stefan.bader@canonical.com>
+Date: Wed, 22 Jun 2011 12:16:10 +0200
+Subject: [PATCH 23/23] UBUNTU: xen: Do not call pgd_list_del in pgd_dtor for Xen
+
+The Xen modifications add code to remove the pgd from the list as soon
+as it is freed in pgd_free.
+
+BugLink: http://bugs.launchpad.net/bugs/705562
+
+Signed-off-by: Stefan Bader<stefan.bader@canonical.com>
+---
+ arch/x86/mm/pgtable_32-xen.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/arch/x86/mm/pgtable_32-xen.c b/arch/x86/mm/pgtable_32-xen.c
+index 49e28e7..d8bc211 100644
+--- a/arch/x86/mm/pgtable_32-xen.c
++++ b/arch/x86/mm/pgtable_32-xen.c
+@@ -290,15 +290,20 @@ static void pgd_ctor(void *pgd)
+
+ static void pgd_dtor(void *pgd)
+ {
++#ifndef CONFIG_XEN
+ unsigned long flags; /* can be called from interrupt context */
++#endif
+
+ if (SHARED_KERNEL_PMD)
+ return;
+
++#ifndef CONFIG_XEN
++ /* This is done in pgd_free in the Xen case. */
+ paravirt_release_pd(__pa(pgd)>> PAGE_SHIFT);
+ spin_lock_irqsave(&pgd_lock, flags);
+ pgd_list_del(pgd);
+ spin_unlock_irqrestore(&pgd_lock, flags);
++#endif
+
+ pgd_test_and_unpin(pgd);
+ }
+--
+1.7.4.1
+



--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


All times are GMT. The time now is 12:22 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.