korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-25 15:24:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
b23220fe05
linux/drivers/misc
History
Gil Kupfer b23220fe05 vmw_balloon: fixing double free when batching mode is off 
The balloon.page field is used for two different purposes if batching is
on or off. If batching is on, the field point to the page which is used
to communicate with with the hypervisor. If it is off, balloon.page
points to the page that is about to be (un)locked.

Unfortunately, this dual-purpose of the field introduced a bug: when the
balloon is popped (e.g., when the machine is reset or the balloon driver
is explicitly removed), the balloon driver frees, unconditionally, the
page that is held in balloon.page.  As a result, if batching is
disabled, this leads to double freeing the last page that is sent to the
hypervisor.

The following error occurs during rmmod when kernel checkers are on, and
the balloon is not empty:

[   42.307653] ------------[ cut here ]------------
[   42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable]
[   42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
[   42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi
[   42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5
[   42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016
[   42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000
[   42.313290] RIP: 0010:__free_pages+0x38/0x40
[   42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246
[   42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006
[   42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0
[   42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000
[   42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4
[   42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200
[   42.314550] FS:  00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000
[   42.314599] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0
[   42.314864] Call Trace:
[   42.315774]  vmballoon_pop+0x102/0x130 [vmw_balloon]
[   42.315816]  vmballoon_exit+0x42/0xd64 [vmw_balloon]
[   42.315853]  SyS_delete_module+0x1e2/0x250
[   42.315891]  entry_SYSCALL_64_fastpath+0x23/0xc2
[   42.315924] RIP: 0033:0x7f3af5b0e8e7
[   42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[   42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7
[   42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248
[   42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
[   42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130
[   42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0
[   42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48
[   42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98
[   42.325735] ---[ end trace 872e008e33f81508 ]---

To solve the bug, we eliminate the dual purpose of balloon.page.

Fixes: f220a80f0c ("VMware balloon: add batching to the vmw_balloon.")
Cc: stable@vger.kernel.org
Reported-by: Oleksandr Natalenko <onatalen@redhat.com>
Signed-off-by: Gil Kupfer <gilkup@gmail.com>
Signed-off-by: Nadav Amit <namit@vmware.com>
Reviewed-by: Xavier Deguillard <xdeguillard@vmware.com>
Tested-by: Oleksandr Natalenko <oleksandr@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-06-02 19:34:13 +02:00
..
altera-stapl misc: altera-stapl: drop Kconfig comment 2017-10-04 10:43:08 +02:00
c2port kmemcheck: remove annotations 2017-11-15 18:21:04 -08:00
cardreader for-4.17/block-20180402 2018-04-05 14:27:02 -07:00
cb710
cxl misc: cxl: Change return type to vm_fault_t 2018-04-23 13:31:27 +02:00
echo misc: Remove Blackfin DSP echo support 2018-03-26 15:56:37 +02:00
eeprom Char/Misc patches for 4.17-rc1 2018-04-04 20:07:20 -07:00
genwqe GenWQE: Fix a typo in two comments 2018-03-27 09:51:22 +02:00
ibmasm Merge branch 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-11-15 10:14:11 -08:00
lis3lv02d vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
lkdtm lkdtm: Add missing SPDX-License-Identifier line 2018-03-06 19:18:55 -08:00
mei mei: remove dev_err message on an unsupported ioctl 2018-03-14 19:33:13 +01:00
mic misc: mic: Release reference count and memory for VOP device 2018-03-15 18:12:01 +01:00
ocxl Merge 4.16-rc7 into char-misc-next 2018-03-28 12:27:35 +02:00
sgi-gru misc: sgi-gru: Change return type to vm_fault_t 2018-05-14 16:25:52 +02:00
sgi-xp sgi-xp: fix xpnet_dev_hard_start_xmit()'s return type 2018-04-26 10:20:30 +02:00
ti-st misc: ti-st: Replace GFP_ATOMIC with GFP_KERNEL in kim_probe 2018-04-23 13:31:27 +02:00
vmw_vmci vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
ad525x_dpot-i2c.c
ad525x_dpot-spi.c
ad525x_dpot.c misc: ad525x_dpot: macros should not use a trailing semicolon 2017-12-18 16:02:26 +01:00
ad525x_dpot.h misc: ad525x_dpot: Unnecessary space before function pointer arguments 2017-12-18 15:59:17 +01:00
apds990x.c misc: apds990x: Missing a blank line after declarations. 2017-12-18 16:02:26 +01:00
apds9802als.c misc: apds9802als: constify i2c_device_id 2017-08-28 16:55:49 +02:00
aspeed-lpc-ctrl.c misc: aspeed-lpc-ctrl: Enable FWH and A2H bridge cycles 2018-03-15 18:20:51 +01:00
aspeed-lpc-snoop.c drivers/misc: (aspeed-lpc-snoop): Add ast2400 to compat 2017-07-17 17:23:16 +02:00
atmel_tclib.c
atmel-ssc.c
bh1770glc.c misc: bh1770glc: constify attribute_group structures. 2017-08-28 16:55:48 +02:00
cs5535-mfgpt.c
ds1682.c misc: ds1682: Ignore update-in-progress ETC reads 2018-01-09 17:03:57 +01:00
dummy-irq.c Annotate hardware config module parameters in drivers/misc/ 2017-04-20 12:02:32 +01:00
enclosure.c misc: enclosure: Remove unnecessary error check 2017-12-07 18:45:31 +01:00
fsa9480.c misc: fsa9480: Add blank line after declarations. 2018-01-09 17:03:57 +01:00
hmc6352.c misc: hmc6352: constify i2c_device_id 2017-08-28 16:55:49 +02:00
hpilo.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
hpilo.h misc: hpilo: Use SPDX-License-Identifier 2017-12-07 18:45:31 +01:00
ibmvmc.c misc: IBM Virtual Management Channel Driver (VMC) 2018-05-14 16:35:42 +02:00
ibmvmc.h misc: IBM Virtual Management Channel Driver (VMC) 2018-05-14 16:35:42 +02:00
ics932s401.c misc: ics932s401: open brace should be on the previous line 2017-12-18 16:00:57 +01:00
ioc4.c misc: ioc4: constify pci_device_id. 2017-08-28 16:55:48 +02:00
isl29003.c misc: isl29003: Missing a blank line after declarations 2017-12-07 18:45:31 +01:00
isl29020.c misc: isl29020: constify i2c_device_id 2017-08-28 16:55:49 +02:00
Kconfig misc: IBM Virtual Management Channel Driver (VMC) 2018-05-14 16:35:42 +02:00
kgdbts.c misc: kgdbts: Display progress of asynchronous tests 2018-01-25 08:40:17 -06:00
lattice-ecp3-config.c
Makefile misc: IBM Virtual Management Channel Driver (VMC) 2018-05-14 16:35:42 +02:00
pch_phub.c MISC: add const to bin_attribute structures 2017-08-28 16:55:48 +02:00
pci_endpoint_test.c misc: pci_endpoint_test: Handle 64-bit BARs properly 2018-04-03 12:38:06 +01:00
phantom.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
pti.c drivers/misc/intel/pti: Rename the header file to free up the namespace 2017-12-17 12:52:34 +01:00
qcom-coincell.c
spear13xx_pcie_gadget.c
sram-exec.c misc: sram-exec: Use aligned fncpy instead of memcpy 2017-05-18 17:37:52 +02:00
sram.c misc: Convert to using %pOF instead of full_name 2017-08-28 16:55:49 +02:00
sram.h misc: sram: Integrate protect-exec reserved sram area type 2017-01-25 11:48:03 +01:00
tifm_7xx1.c misc: tifm: Remove VLA 2018-04-23 13:31:27 +02:00
tifm_core.c
tsl2550.c misc: tsl2550: Add OF device ID table 2017-04-08 18:22:59 +02:00
vexpress-syscfg.c misc: vexpress: Use PTR_ERR_OR_ZERO() 2017-12-07 18:45:31 +01:00
vmw_balloon.c vmw_balloon: fixing double free when batching mode is off 2018-06-02 19:34:13 +02:00