From: Tejun Heo <tj@kernel.org>
To: Jeffrey Carlyle <jeff.carlyle@motorola.com>
Cc: torvalds@osdl.org, linux-kernel@vger.kernel.org,
jaxboe@fusionio.com, OLUSANYA SOYANNWO <c23746@motorola.com>,
Hu Tao <taohu@motorola.com>
Subject: Re: [PATCH] scatterlist: prevent invalid free when alloc fails
Date: Fri, 27 Aug 2010 12:18:57 +0200 [thread overview]
Message-ID: <4C779111.8000803@kernel.org> (raw)
In-Reply-To: <AANLkTimoCn9uWQ1NTJAhRu7cq1MA+oo6E5p30zeXA3f1@mail.gmail.com>
Hello,
First of all, the patch is line-wrapped. Please check your email
settings.
On 08/26/2010 06:04 PM, Jeffrey Carlyle wrote:
> When alloc fails, free_table is being called. Depending on the number of
> bytes requested, we determine if we are going to call _get_free_page()
> or kmalloc(). When alloc fails, our math is wrong (due to sg_size - 1),
> and the last buffer is wrongfully assumed to have been allocated by
> kmalloc. Hence, kfree gets called and a panic occurs.
>
> This fix sets the end marker and allows the proper freeing of the
> buffers.
>
> Signed-off-by: Olusanya Soyannwo <c23746@motorola.com>
> Cc: Tejun Heo <tj@kernel.org>
> Cc: Jens Axboe <jaxboe@fusionio.com>
> Signed-off-by: Jeffrey Carlyle <jeff.carlyle@motorola.com>
> ---
> lib/scatterlist.c | 11 +++++++++--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/lib/scatterlist.c b/lib/scatterlist.c
> index a5ec428..acf2c6e 100644
> --- a/lib/scatterlist.c
> +++ b/lib/scatterlist.c
> @@ -163,7 +163,7 @@ void __sg_free_table(struct sg_table *table,
> unsigned int max_ents,
> return;
>
> sgl = table->sgl;
> - while (table->orig_nents) {
> + while (table->orig_nents && sgl) {
> unsigned int alloc_size = table->orig_nents;
> unsigned int sg_size;
Why is this change necessary?
> @@ -227,6 +227,7 @@ int __sg_alloc_table(struct sg_table *table,
> unsigned int nents,
> {
> struct scatterlist *sg, *prv;
> unsigned int left;
> + unsigned int total_alloc = 0;
>
> #ifndef ARCH_HAS_SG_CHAIN
> BUG_ON(nents > max_ents);
> @@ -248,8 +249,14 @@ int __sg_alloc_table(struct sg_table *table,
> unsigned int nents,
> left -= sg_size;
>
> sg = alloc_fn(alloc_size, gfp_mask);
> - if (unlikely(!sg))
> + if (unlikely(!sg)) {
> + table->orig_nents = total_alloc;
> + /* mark the end of previous entry */
> + sg_mark_end(&prv[alloc_size - 1]);
prv[alloc_size - 1] is already marked as end by sg_init_table() during
the previous iteration. Also, prv can be NULL at this point. AFAICS,
the only thing necessary would be "if (prv) table->nents++", no?
Thanks.
--
tejun
next prev parent reply other threads:[~2010-08-27 10:25 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-26 16:04 [PATCH] scatterlist: prevent invalid free when alloc fails Jeffrey Carlyle
2010-08-27 10:18 ` Tejun Heo [this message]
2010-08-27 19:45 ` Jeffrey Carlyle
2010-08-27 20:15 ` Jeffrey Carlyle
2010-08-27 23:32 ` Tejun Heo
2010-08-30 15:01 ` [PATCH v2] " Jeffrey Carlyle
2010-08-30 15:58 ` [PATCH v3] " Jeffrey Carlyle
2010-08-30 16:04 ` [PATCH v4] " Jeffrey Carlyle
2010-08-30 16:08 ` [PATCH v5] " Jeffrey Carlyle
2010-08-30 16:13 ` Tejun Heo
2010-08-30 16:19 ` [PATCH v6] " Jeffrey Carlyle
2010-08-30 17:28 ` Tejun Heo
2010-08-30 17:56 ` Jens Axboe
2010-08-30 16:05 ` [PATCH v3] " Tejun Heo
2010-08-30 16:12 ` Jeffrey Carlyle
2010-08-30 16:00 ` [PATCH v2] " Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C779111.8000803@kernel.org \
--to=tj@kernel.org \
--cc=c23746@motorola.com \
--cc=jaxboe@fusionio.com \
--cc=jeff.carlyle@motorola.com \
--cc=linux-kernel@vger.kernel.org \
--cc=taohu@motorola.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.