From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sasha Levin <sasha.levin@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 36/59] 9p: fix off by one causing access violations and memory corruption
Date: Fri, 26 Jul 2013 13:53:00 -0700 [thread overview]
Message-ID: <20130726205017.678544807@linuxfoundation.org> (raw)
In-Reply-To: <20130726205013.795696531@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sasha Levin <sasha.levin@oracle.com>
[ Upstream commit 110ecd69a9feea82a152bbf9b12aba57e6396883 ]
p9_release_pages() would attempt to dereference one value past the end of
pages[]. This would cause the following crashes:
[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000
[ 6293.174146] IP: [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060
[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 6293.180060] Modules linked in:
[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G W 3.10.0-next-20130710-sasha #3954
[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000
[ 6293.180060] RIP: 0010:[<ffffffff8412793b>] [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.214316] RSP: 0000:ffff880787ddfc28 EFLAGS: 00010202
[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000
[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40
[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000
[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070
[ 6293.222017] FS: 00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000
[ 6293.256784] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0
[ 6293.256784] Stack:
[ 6293.256784] ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8
[ 6293.256784] ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001
[ 6293.256784] ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000
[ 6293.256784] Call Trace:
[ 6293.256784] [<ffffffff84128be8>] p9_virtio_zc_request+0x598/0x630
[ 6293.256784] [<ffffffff8115c610>] ? wake_up_bit+0x40/0x40
[ 6293.256784] [<ffffffff841209b1>] p9_client_zc_rpc+0x111/0x3a0
[ 6293.256784] [<ffffffff81174b78>] ? sched_clock_cpu+0x108/0x120
[ 6293.256784] [<ffffffff84122a21>] p9_client_read+0xe1/0x2c0
[ 6293.256784] [<ffffffff81708a90>] v9fs_file_read+0x90/0xc0
[ 6293.256784] [<ffffffff812bd073>] vfs_read+0xc3/0x130
[ 6293.256784] [<ffffffff811a78bd>] ? trace_hardirqs_on+0xd/0x10
[ 6293.256784] [<ffffffff812bd5a2>] SyS_read+0x62/0xa0
[ 6293.256784] [<ffffffff841a1a00>] tracesys+0xdd/0xe2
[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c
[ 6293.256784] RIP [<ffffffff8412793b>] p9_release_pages+0x3b/0x60
[ 6293.256784] RSP <ffff880787ddfc28>
[ 6293.256784] CR2: ffff8807c96f3000
[ 6293.256784] ---[ end trace 50822ee72cd360fc ]---
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/9p/trans_common.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/net/9p/trans_common.c
+++ b/net/9p/trans_common.c
@@ -24,11 +24,11 @@
*/
void p9_release_pages(struct page **pages, int nr_pages)
{
- int i = 0;
- while (pages[i] && nr_pages--) {
- put_page(pages[i]);
- i++;
- }
+ int i;
+
+ for (i = 0; i < nr_pages; i++)
+ if (pages[i])
+ put_page(pages[i]);
}
EXPORT_SYMBOL(p9_release_pages);
next prev parent reply other threads:[~2013-07-26 20:53 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-26 20:52 [ 00/59] 3.4.55-stable review Greg Kroah-Hartman
2013-07-26 20:52 ` [ 01/59] ext3: fix data=journal fast mount/umount hang Greg Kroah-Hartman
2013-07-26 20:52 ` [ 02/59] libata: skip SRST for all SIMG [34]7x port-multipliers Greg Kroah-Hartman
2013-07-26 20:52 ` [ 03/59] ata_piix: IDE-mode SATA patch for Intel Coleto Creek DeviceIDs Greg Kroah-Hartman
2013-07-26 20:52 ` [ 04/59] ASoC: sglt5000: Fix SGTL5000_PLL_FRAC_DIV_MASK Greg Kroah-Hartman
2013-07-26 20:52 ` [ 05/59] tick: Prevent uncontrolled switch to oneshot mode Greg Kroah-Hartman
2013-07-26 20:52 ` [ 06/59] rt2x00: read 5GHz TX power values from the correct offset Greg Kroah-Hartman
2013-07-26 20:52 ` [ 07/59] ath9k: Do not assign noise for NULL caldata Greg Kroah-Hartman
2013-07-26 20:52 ` [ 08/59] SCSI: zfcp: fix adapter (re)open recovery while link to SAN is down Greg Kroah-Hartman
2013-07-26 20:52 ` [ 09/59] SCSI: mpt2sas: fix firmware failure with wrong task attribute Greg Kroah-Hartman
2013-07-26 20:52 ` [ 10/59] tracing: Use current_uid() for critical time tracing Greg Kroah-Hartman
2013-07-26 20:52 ` [ 11/59] iommu/amd: Only unmap large pages from the first pte Greg Kroah-Hartman
2013-07-26 20:52 ` [ 12/59] perf: Clone child context from parent context pmu Greg Kroah-Hartman
2013-07-26 20:52 ` [ 13/59] perf: Remove WARN_ON_ONCE() check in __perf_event_enable() for valid scenario Greg Kroah-Hartman
2013-07-26 20:52 ` [ 14/59] perf: Fix perf_lock_task_context() vs RCU Greg Kroah-Hartman
2013-07-26 20:52 ` [ 15/59] sparc32: vm_area_struct access for old Sun SPARCs Greg Kroah-Hartman
2013-07-27 21:45 ` Ben Hutchings
2013-07-28 2:27 ` David Miller
2013-07-28 18:37 ` Greg KH
2013-07-26 20:52 ` [ 16/59] sparc64 address-congruence property Greg Kroah-Hartman
2013-07-26 20:52 ` [ 17/59] sparc: tsb must be flushed before tlb Greg Kroah-Hartman
2013-07-26 20:52 ` [ 18/59] bridge: fix switched interval for MLD Query types Greg Kroah-Hartman
2013-07-26 20:52 ` [ 19/59] ipv4: Fixed MD5 key lookups when adding/ removing MD5 to/ from TCP sockets Greg Kroah-Hartman
2013-07-26 20:52 ` [ 20/59] ipv6: dont call addrconf_dst_alloc again when enable lo Greg Kroah-Hartman
2013-07-26 20:52 ` [ 21/59] macvtap: fix recovery from gup errors Greg Kroah-Hartman
2013-07-26 20:52 ` [ 22/59] ipv6: ip6_sk_dst_check() must not assume ipv6 dst Greg Kroah-Hartman
2013-07-26 20:52 ` [ 23/59] af_key: fix info leaks in notify messages Greg Kroah-Hartman
2013-07-26 20:52 ` [ 24/59] sh_eth: fix unhandled RFE interrupt Greg Kroah-Hartman
2013-07-26 20:52 ` [ 25/59] neighbour: fix a race in neigh_destroy() Greg Kroah-Hartman
2013-07-26 20:52 ` [ 26/59] x25: Fix broken locking in ioctl error paths Greg Kroah-Hartman
2013-07-26 20:52 ` [ 27/59] net: Swap ver and type in pppoe_hdr Greg Kroah-Hartman
2013-07-26 20:52 ` [ 28/59] ipv6,mcast: always hold idev->lock before mca_lock Greg Kroah-Hartman
2013-07-26 20:52 ` [ 29/59] l2tp: add missing .owner to struct pppox_proto Greg Kroah-Hartman
2013-07-26 20:52 ` [ 30/59] ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data Greg Kroah-Hartman
2013-07-26 20:52 ` [ 31/59] ipv6: ip6_append_data_mtu did not care about pmtudisc and frag_size Greg Kroah-Hartman
2013-07-26 20:52 ` [ 32/59] sunvnet: vnet_port_remove must call unregister_netdev Greg Kroah-Hartman
2013-07-26 20:52 ` [ 33/59] ifb: fix rcu_sched self-detected stalls Greg Kroah-Hartman
2013-07-26 20:52 ` [ 34/59] macvtap: correctly linearize skb when zerocopy is used Greg Kroah-Hartman
2013-07-26 20:52 ` [ 35/59] ipv6: in case of link failure remove route directly instead of letting it expire Greg Kroah-Hartman
2013-07-26 20:53 ` Greg Kroah-Hartman [this message]
2013-07-26 20:53 ` [ 37/59] dummy: fix oops when loading the dummy failed Greg Kroah-Hartman
2013-07-26 20:53 ` [ 38/59] ifb: fix oops when loading the ifb failed Greg Kroah-Hartman
2013-07-26 20:53 ` [ 39/59] atl1e: fix dma mapping warnings Greg Kroah-Hartman
2013-07-26 20:53 ` [ 40/59] atl1e: unmap partially mapped skb on dma error and free skb Greg Kroah-Hartman
2013-07-26 20:53 ` [ 41/59] vlan: fix a race in egress prio management Greg Kroah-Hartman
2013-07-26 20:53 ` [ 42/59] writeback: Fix periodic writeback after fs mount Greg Kroah-Hartman
2013-07-26 20:53 ` [ 43/59] SCSI: megaraid_sas: fix memory leak if SGL has zero length entries Greg Kroah-Hartman
2013-07-26 20:53 ` [ 44/59] SCSI: Fix incorrect memset in bnx2fc_parse_fcp_rsp Greg Kroah-Hartman
2013-07-26 20:53 ` [ 45/59] [SCSI] zfcp: block queue limits with data router Greg Kroah-Hartman
2013-07-26 20:53 ` [ 46/59] usb: serial: option: blacklist ONDA MT689DC QMI interface Greg Kroah-Hartman
2013-07-26 20:53 ` [ 47/59] usb: option: add TP-LINK MA260 Greg Kroah-Hartman
2013-07-26 20:53 ` [ 48/59] usb: serial: option: add Olivetti Olicard 200 Greg Kroah-Hartman
2013-07-26 20:53 ` [ 49/59] usb: serial: option.c: remove ONDA MT825UP product ID fromdriver Greg Kroah-Hartman
2013-07-26 20:53 ` [ 50/59] USB: option: append Petatel NP10T device to GSM modems list Greg Kroah-Hartman
2013-07-26 20:53 ` [ 51/59] USB: option: add D-Link DWM-152/C1 and DWM-156/C1 Greg Kroah-Hartman
2013-07-26 20:53 ` [ 52/59] usb: serial: option: Add ONYX 3G device support Greg Kroah-Hartman
2013-07-26 20:53 ` [ 53/59] usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter Greg Kroah-Hartman
2013-07-26 20:53 ` [ 54/59] USB: cp210x: add MMB and PI ZigBee USB Device Support Greg Kroah-Hartman
2013-07-26 20:53 ` [ 55/59] usb: cp210x support SEL C662 Vendor/Device Greg Kroah-Hartman
2013-07-26 20:53 ` [ 56/59] lockd: protect nlm_blocked access in nlmsvc_retry_blocked Greg Kroah-Hartman
2013-07-26 20:53 ` [ 57/59] tracing: Fix irqs-off tag display in syscall tracing Greg Kroah-Hartman
2013-07-26 20:53 ` [ 58/59] hrtimers: Move SMP function call to thread context Greg Kroah-Hartman
2013-07-26 20:53 ` [ 59/59] ALSA: usb-audio: 6fire: return correct XRUN indication Greg Kroah-Hartman
2013-07-27 21:28 ` [ 00/59] 3.4.55-stable review linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130726205017.678544807@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox