[PATCH 3/4] x86: call free_thread_xstate() in free_task_struct()

From: Akinobu Mita
Date: Sat Dec 27 2008 - 00:19:25 EST

Next message: Akinobu Mita: "[PATCH 4/4] x86: use generic thread_info allocator"
Previous message: Akinobu Mita: "[PATCH 2/4] x86: arch specific task_struct allocator"
In reply to: Akinobu Mita: "[PATCH 2/4] x86: arch specific task_struct allocator"
Next in thread: Akinobu Mita: "[PATCH 4/4] x86: use generic thread_info allocator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

x86 arch specific free_thread_info() accesses thread_info->task to call
free_thread_xstate(). But the thread_info may not be initialized yet.
So invalid pointer derefence may happen in free_thread_xstate().

It happens in the following scenario in dup_task_struct()

1. call alloc_task_struct() to allocate empty task_struct
2. call alloc_thread_info() to allocate empty thread_info
3. call arch_dup_task_struct()

x86 arch specific arch_dup_task_struct() copies task_struct from source
task_struct. it also allocates empty xstate and copy from source if
source task_struct has ->thread.xstate.

If the xstate allocation failed, arch_dup_task_struct() returns error.

4. call free_thread_info() to deallocate thread_info

x86 arch specific free_thread_info() calls free_thread_xstate() with
thread_info->task. But the thread_info is not initialized yet.

This patch resolves the issue by moving the free_thread_xstate() call
into free_task_struct().

Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: "H. Peter Anvin" <hpa@xxxxxxxxx>
Signed-off-by: Akinobu Mita <akinobu.mita@xxxxxxxxx>
---
arch/x86/kernel/process.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Index: 2.6/arch/x86/kernel/process.c
===================================================================
--- 2.6.orig/arch/x86/kernel/process.c
+++ 2.6/arch/x86/kernel/process.c
@@ -40,7 +40,6 @@ void free_thread_xstate(struct task_stru

void free_thread_info(struct thread_info *ti)
{
- free_thread_xstate(ti->task);
free_pages((unsigned long)ti, get_order(THREAD_SIZE));
}

@@ -53,6 +52,7 @@ struct task_struct *alloc_task_struct(vo

void free_task_struct(struct task_struct *tsk)
{
+ free_thread_xstate(tsk);
kmem_cache_free(task_struct_cachep, tsk);
}

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Akinobu Mita: "[PATCH 4/4] x86: use generic thread_info allocator"
Previous message: Akinobu Mita: "[PATCH 2/4] x86: arch specific task_struct allocator"
In reply to: Akinobu Mita: "[PATCH 2/4] x86: arch specific task_struct allocator"
Next in thread: Akinobu Mita: "[PATCH 4/4] x86: use generic thread_info allocator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]