android_kernel_google_msm/lib
Thadeu Lima de Souza Cascardo 24d1745f4d genalloc: stop crashing the system when destroying a pool
commit eedce141cd upstream.

The genalloc code uses the bitmap API from include/linux/bitmap.h and
lib/bitmap.c, which is based on long values.  Both bitmap_set from
lib/bitmap.c and bitmap_set_ll, which is the lockless version from
genalloc.c, use BITMAP_LAST_WORD_MASK to set the first bits in a long in
the bitmap.

That one uses (1 << bits) - 1, 0b111, if you are setting the first three
bits.  This means that the API counts from the least significant bits
(LSB from now on) to the MSB.  The LSB in the first long is bit 0, then.
The same works for the lookup functions.

The genalloc code uses longs for the bitmap, as it should.  In
include/linux/genalloc.h, struct gen_pool_chunk has unsigned long
bits[0] as its last member.  When allocating the struct, genalloc should
reserve enough space for the bitmap.  This should be a proper number of
longs that can fit the amount of bits in the bitmap.

However, genalloc allocates an integer number of bytes that fit the
amount of bits, but may not be an integer amount of longs.  9 bytes, for
example, could be allocated for 70 bits.

This is a problem in itself if the Least Significat Bit in a long is in
the byte with the largest address, which happens in Big Endian machines.
This means genalloc is not allocating the byte in which it will try to
set or check for a bit.

This may end up in memory corruption, where genalloc will try to set the
bits it has not allocated.  In fact, genalloc may not set these bits
because it may find them already set, because they were not zeroed since
they were not allocated.  And that's what causes a BUG when
gen_pool_destroy is called and check for any set bits.

What really happens is that genalloc uses kmalloc_node with __GFP_ZERO
on gen_pool_add_virt.  With SLAB and SLUB, this means the whole slab
will be cleared, not only the requested bytes.  Since struct
gen_pool_chunk has a size that is a multiple of 8, and slab sizes are
multiples of 8, we get lucky and allocate and clear the right amount of
bytes.

Hower, this is not the case with SLOB or with older code that did memset
after allocating instead of using __GFP_ZERO.

So, a simple module as this (running 3.6.0), will cause a crash when
rmmod'ed.

  [root@phantom-lp2 foo]# cat foo.c
  #include <linux/kernel.h>
  #include <linux/module.h>
  #include <linux/init.h>
  #include <linux/genalloc.h>

  MODULE_LICENSE("GPL");
  MODULE_VERSION("0.1");

  static struct gen_pool *foo_pool;

  static __init int foo_init(void)
  {
          int ret;
          foo_pool = gen_pool_create(10, -1);
          if (!foo_pool)
                  return -ENOMEM;
          ret = gen_pool_add(foo_pool, 0xa0000000, 32 << 10, -1);
          if (ret) {
                  gen_pool_destroy(foo_pool);
                  return ret;
          }
          return 0;
  }

  static __exit void foo_exit(void)
  {
          gen_pool_destroy(foo_pool);
  }

  module_init(foo_init);
  module_exit(foo_exit);
  [root@phantom-lp2 foo]# zcat /proc/config.gz | grep SLOB
  CONFIG_SLOB=y
  [root@phantom-lp2 foo]# insmod ./foo.ko
  [root@phantom-lp2 foo]# rmmod foo
  ------------[ cut here ]------------
  kernel BUG at lib/genalloc.c:243!
  cpu 0x4: Vector: 700 (Program Check) at [c0000000bb0e7960]
      pc: c0000000003cb50c: .gen_pool_destroy+0xac/0x110
      lr: c0000000003cb4fc: .gen_pool_destroy+0x9c/0x110
      sp: c0000000bb0e7be0
     msr: 8000000000029032
    current = 0xc0000000bb0e0000
    paca    = 0xc000000006d30e00   softe: 0        irq_happened: 0x01
      pid   = 13044, comm = rmmod
  kernel BUG at lib/genalloc.c:243!
  [c0000000bb0e7ca0] d000000004b00020 .foo_exit+0x20/0x38 [foo]
  [c0000000bb0e7d20] c0000000000dff98 .SyS_delete_module+0x1a8/0x290
  [c0000000bb0e7e30] c0000000000097d4 syscall_exit+0x0/0x94
  --- Exception: c00 (System Call) at 000000800753d1a0
  SP (fffd0b0e640) is in userspace

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
Cc: Benjamin Gaignard <benjamin.gaignard@stericsson.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2012-10-31 10:02:56 -07:00
..
lzo
mpi mpi: Avoid using freed pointer in mpi_lshift_limbs() 2012-04-18 12:14:28 +10:00
raid6 Remove all #inclusions of asm/system.h 2012-03-28 18:30:03 +01:00
reed_solomon
xz
zlib_deflate
zlib_inflate
.gitignore
argv_split.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
atomic64.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
atomic64_test.c bug.h: add include of it to various implicit C users 2012-02-29 17:15:08 -05:00
audit.c
average.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
bcd.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
bch.c
bitmap.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
bitrev.c
bsearch.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
btree.c btree: fix tree corruption in btree_get_prev() 2012-06-17 11:21:22 -07:00
bug.c bugs, x86: Fix printk levels for panic, softlockups and stack dumps 2012-01-26 21:28:45 +01:00
bust_spinlocks.c
check_signature.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
checksum.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
clz_tab.c lib: Fix multiple definitions of clz_tab 2012-02-02 10:34:23 +11:00
cmdline.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
cordic.c Docs: wording: functions -> algorithm 2011-10-29 21:20:22 +02:00
cpu-notifier-error-inject.c
cpu_rmap.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
cpumask.c lib/cpumask.c: remove __any_online_cpu() 2012-03-28 17:14:35 -07:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc7.c
crc8.c
crc16.c
crc32.c crc32: add self-test code for crc32c 2012-03-23 16:58:38 -07:00
crc32defs.h crc32: select an algorithm via Kconfig 2012-03-23 16:58:38 -07:00
ctype.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
debug_locks.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
debugobjects.c debugobjects: Fix selftest for static warnings 2012-03-05 15:49:43 -08:00
dec_and_lock.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
decompress.c
decompress_bunzip2.c decompress_bunzip2: remove invalid vi modeline 2011-12-06 10:00:05 +01:00
decompress_inflate.c
decompress_unlzma.c treewide: Fix comment and string typo 'bufer' 2011-12-06 09:53:40 +01:00
decompress_unlzo.c unlzo: fix input buffer free 2012-01-12 20:13:13 -08:00
decompress_unxz.c
devres.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
digsig.c digsig: add hash size comparision on signature verification 2012-10-02 10:29:55 -07:00
div64.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
dma-debug.c Remove useless get_driver()/put_driver() calls 2012-01-24 16:00:35 -08:00
dump_stack.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
dynamic_debug.c dynamic_debug: process multiple debug-queries on a line 2012-01-24 12:50:36 -08:00
dynamic_queue_limits.c bql: Avoid possible inconsistent calculation. 2012-07-16 09:03:43 -07:00
extable.c
fault-inject.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
find_last_bit.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
find_next_bit.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
flex_array.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
gcd.c lib/gcd.c: prevent possible div by 0 2012-10-13 05:38:38 +09:00
gen_crc32table.c crc32: bolt on crc32c 2012-03-23 16:58:38 -07:00
genalloc.c genalloc: stop crashing the system when destroying a pool 2012-10-31 10:02:56 -07:00
halfmd4.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
hexdump.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
hweight.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
idr.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
inflate.c
int_sqrt.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
iomap.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
iomap_copy.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
iommu-helper.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
ioremap.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
irq_regs.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
is_single_threaded.c
kasprintf.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
Kconfig crc32: add help text for the algorithm select option 2012-03-28 17:14:37 -07:00
Kconfig.debug Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-29 14:28:26 -07:00
Kconfig.kgdb
Kconfig.kmemcheck
klist.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
kobject.c kobject: provide more diagnostic info for kobject_add_internal() failures 2012-04-10 14:48:51 -07:00
kobject_uevent.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
kstrtox.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
kstrtox.h lib/kstrtox: common code between kstrto*() and simple_strto*() functions 2011-10-31 17:30:56 -07:00
lcm.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
libcrc32c.c
list_debug.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
list_sort.c
llist.c Disintegrate and delete asm/system.h 2012-03-28 15:58:21 -07:00
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
lru_cache.c
Makefile lib: Fix multiple definitions of clz_tab 2012-02-02 10:34:23 +11:00
md5.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
nlattr.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
parser.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
pci_iomap.c lib: add NO_GENERIC_PCI_IOPORT_MAP 2012-01-31 23:19:47 +02:00
percpu_counter.c lib/percpu_counter.c: enclose hotplug only variables in hotplug ifdef 2011-10-31 17:30:56 -07:00
plist.c bug.h: add include of it to various implicit C users 2012-02-29 17:15:08 -05:00
prio_heap.c
prio_tree.c prio_tree: introduce prio_set_parent() 2012-03-23 16:58:36 -07:00
proportions.c
radix-tree.c radix-tree: fix contiguous iterator 2012-06-10 00:36:17 +09:00
random32.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
ratelimit.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
rational.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
rbtree.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
reciprocal_div.c sch_red: Adaptative RED AQM 2011-12-08 19:52:43 -05:00
rwsem-spinlock.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
rwsem.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
scatterlist.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
sha1.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
show_mem.c
smp_processor_id.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
sort.c
spinlock_debug.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
string.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
string_helpers.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
swiotlb.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
syscall.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
test-kstrtox.c
textsearch.c
timerqueue.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
ts_bm.c
ts_fsm.c
ts_kmp.c
uuid.c lib: reduce the use of module.h wherever possible 2012-03-07 15:04:04 -05:00
vsprintf.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00