From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Weinberger <richard@nod.at>,
Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Subject: [PATCH 3.14 24/77] UBI: Fix invalid vfree()
Date: Tue, 13 Jan 2015 23:23:04 -0800 [thread overview]
Message-ID: <20150114072225.522021333@linuxfoundation.org> (raw)
In-Reply-To: <20150114072224.182299947@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger <richard@nod.at>
commit f38aed975c0c3645bbdfc5ebe35726e64caaf588 upstream.
The logic of vfree()'ing vol->upd_buf is tied to vol->updating.
In ubi_start_update() vol->updating is set long before vmalloc()'ing
vol->upd_buf. If we encounter a write failure in ubi_start_update()
before vmalloc() the UBI device release function will try to vfree()
vol->upd_buf because vol->updating is set.
Fix this by allocating vol->upd_buf directly after setting vol->updating.
Fixes:
[ 31.559338] UBI warning: vol_cdev_release: update of volume 2 not finished, volume is damaged
[ 31.559340] ------------[ cut here ]------------
[ 31.559343] WARNING: CPU: 1 PID: 2747 at mm/vmalloc.c:1446 __vunmap+0xe3/0x110()
[ 31.559344] Trying to vfree() nonexistent vm area (ffffc90001f2b000)
[ 31.559345] Modules linked in:
[ 31.565620] 0000000000000bba ffff88002a0cbdb0 ffffffff818f0497 ffff88003b9ba148
[ 31.566347] ffff88002a0cbde0 ffffffff8156f515 ffff88003b9ba148 0000000000000bba
[ 31.567073] 0000000000000000 0000000000000000 ffff88002a0cbe88 ffffffff8156c10a
[ 31.567793] Call Trace:
[ 31.568034] [<ffffffff818f0497>] dump_stack+0x4e/0x7a
[ 31.568510] [<ffffffff8156f515>] ubi_io_write_vid_hdr+0x155/0x160
[ 31.569084] [<ffffffff8156c10a>] ubi_eba_write_leb+0x23a/0x870
[ 31.569628] [<ffffffff81569b36>] vol_cdev_write+0x226/0x380
[ 31.570155] [<ffffffff81179265>] vfs_write+0xb5/0x1f0
[ 31.570627] [<ffffffff81179f8a>] SyS_pwrite64+0x6a/0xa0
[ 31.571123] [<ffffffff818fde12>] system_call_fastpath+0x16/0x1b
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/ubi/upd.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/mtd/ubi/upd.c
+++ b/drivers/mtd/ubi/upd.c
@@ -133,6 +133,10 @@ int ubi_start_update(struct ubi_device *
ubi_assert(!vol->updating && !vol->changing_leb);
vol->updating = 1;
+ vol->upd_buf = vmalloc(ubi->leb_size);
+ if (!vol->upd_buf)
+ return -ENOMEM;
+
err = set_update_marker(ubi, vol);
if (err)
return err;
@@ -152,14 +156,12 @@ int ubi_start_update(struct ubi_device *
err = clear_update_marker(ubi, vol, 0);
if (err)
return err;
+
+ vfree(vol->upd_buf);
vol->updating = 0;
return 0;
}
- vol->upd_buf = vmalloc(ubi->leb_size);
- if (!vol->upd_buf)
- return -ENOMEM;
-
vol->upd_ebs = div_u64(bytes + vol->usable_leb_size - 1,
vol->usable_leb_size);
vol->upd_bytes = bytes;
next prev parent reply other threads:[~2015-01-14 7:23 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-14 7:22 [PATCH 3.14 00/77] 3.14.29-stable review Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 01/77] drivers/rtc/rtc-sirfsoc.c: move hardware initilization earlier in probe Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 03/77] ocfs2: fix journal commit deadlock Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 04/77] ocfs2: fix the wrong directory passed to ocfs2_lookup_ino_from_name() when link file Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 05/77] ath9k_hw: fix hardware queue allocation Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 06/77] ath9k: fix BE/BK queue order Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 07/77] can: peak_usb: fix cleanup sequence order in case of error during init Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 08/77] can: peak_usb: fix memset() usage Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 09/77] swiotlb-xen: pass dev_addr to xen_dma_unmap_page and xen_dma_sync_single_for_cpu Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 10/77] swiotlb-xen: remove BUG_ON in xen_bus_to_phys Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 11/77] swiotlb-xen: call xen_dma_sync_single_for_device when appropriate Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 12/77] swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 13/77] iwlwifi: mvm: update values for Smart Fifo Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 14/77] ath5k: fix hardware queue index assignment Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 15/77] ASoC: sigmadsp: Refuse to load firmware files with a non-supported version Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 16/77] ASoC: max98090: Fix ill-defined sidetone route Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 17/77] ASoC: dwc: Ensure FIFOs are flushed to prevent channel swap Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 18/77] powerpc: Fix bad NULL pointer check in udbg_uart_getc_poll() Greg Kroah-Hartman
2015-01-14 7:22 ` [PATCH 3.14 19/77] powerpc/book3s: Fix partial invalidation of TLBs in MCE code Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 20/77] powerpc/powernv: Switch off MMU before entering nap/sleep/rvwinkle mode Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 21/77] PCI: Restore detection of read-only BARs Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 22/77] pstore-ram: Fix hangs by using write-combine mappings Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 23/77] pstore-ram: Allow optional mapping with pgprot_noncached Greg Kroah-Hartman
2015-01-14 7:23 ` Greg Kroah-Hartman [this message]
2015-01-14 7:23 ` [PATCH 3.14 25/77] UBI: Fix double free after do_sync_erase() Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 26/77] iommu/vt-d: Fix an off-by-one bug in __domain_mapping() Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 27/77] blk-mq: use nr_cpu_ids as highest CPU ID count for hwq <-> cpu map Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 28/77] HID: i2c-hid: fix race condition reading reports Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 29/77] HID: i2c-hid: prevent buffer overflow in early IRQ Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 30/77] HID: roccat: potential out of bounds in pyra_sysfs_write_settings() Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 31/77] HID: add battery quirk for USB_DEVICE_ID_APPLE_ALU_WIRELESS_2011_ISO keyboard Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 33/77] kvm: x86: drop severity of "generation wraparound" message Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 34/77] x86_64, vdso: Fix the vdso address randomization algorithm Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 35/77] x86, vdso: Use asm volatile in __getcpu Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 36/77] driver core: Fix unbalanced device reference in drivers_probe Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 37/77] misc: genwqe: check for error from get_user_pages_fast() Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 38/77] ALSA: usb-audio: extend KEF X300A FU 10 tweak to Arcam rPAC Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 39/77] ALSA: hda - using uninitialized data Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 40/77] ALSA: hda - Fix wrong gpio_dir & gpio_mask hint setups for IDT/STAC codecs Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 41/77] USB: cdc-acm: check for valid interfaces Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 42/77] Add USB_EHCI_EXYNOS to multi_v7_defconfig Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 43/77] genhd: check for int overflow in disk_expand_part_tbl() Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 44/77] cdc-acm: memory leak in error case Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 45/77] writeback: fix a subtle race condition in I_DIRTY clearing Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 46/77] tracing/sched: Check preempt_count() for current when reading task->state Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 47/77] serial: samsung: wait for transfer completion before clock disable Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 48/77] n_tty: Fix read_buf race condition, increment read_head after pushing data Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 49/77] Drivers: hv: vmbus: Fix a race condition when unregistering a device Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 50/77] fs: nfsd: Fix signedness bug in compare_blob Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 51/77] nfsd4: fix xdr4 inclusion of escaped char Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 52/77] ceph: do_sync is never initialized Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 53/77] ceph: fix null pointer dereference in discard_cap_releases() Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 54/77] mtd: tests: abort torturetest on erase errors Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 55/77] nilfs2: fix the nilfs_iget() vs. nilfs_new_inode() races Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 56/77] scripts/kernel-doc: dont eat struct members with __aligned Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 57/77] sched/deadline: Fix migration of SCHED_DEADLINE tasks Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 58/77] sched/deadline: Avoid double-accounting in case of missed deadlines Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 59/77] ARM: dts: DRA7: wdt: Fix compatible property for watchdog node Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 60/77] ARM: dts: Enable PWM node by default for s3c64xx Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 61/77] ARM: OMAP4: PM: Only do static dependency configuration in omap4_init_static_deps Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 62/77] Revert "ARM: 7830/1: delay: dont bother reporting bogomips in /proc/cpuinfo" Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 63/77] ARM: mvebu: disable I/O coherency on non-SMP situations on Armada 370/375/38x/XP Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 64/77] ACPI / PM: Fix PM initialization for devices that are not present Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 65/77] arm64: kernel: add missing __init section marker to cpu_suspend_init Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 66/77] arm64: kernel: refactor the CPU suspend API for retention states Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 67/77] arm64: Move cpu_resume into the text section Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 68/77] arm64: kernel: fix __cpu_suspend mm switch on warm-boot Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 69/77] Btrfs: dont delay inode ref updates during log replay Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 70/77] perf/x86/intel/uncore: Make sure only uncore events are collected Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 71/77] perf: Fix events installation during moving group Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 72/77] perf session: Do not fail on processing out of order event Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 73/77] spi: fsl: Fix problem with multi message transfers Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 74/77] mmc: sdhci: Fix sleep in atomic after inserting SD card Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 75/77] mm, vmscan: prevent kswapd livelock due to pfmemalloc-throttled process being killed Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 76/77] mm: propagate error from stack expansion even for guard page Greg Kroah-Hartman
2015-01-14 7:23 ` [PATCH 3.14 77/77] mm: Dont count the stack guard page towards RLIMIT_STACK Greg Kroah-Hartman
2015-01-14 16:37 ` [PATCH 3.14 00/77] 3.14.29-stable review Guenter Roeck
2015-01-14 16:48 ` Jiri Slaby
2015-01-14 18:05 ` Guenter Roeck
2015-01-15 0:33 ` Greg Kroah-Hartman
2015-01-14 22:48 ` Shuah Khan
2015-01-15 4:51 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150114072225.522021333@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=artem.bityutskiy@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).