bug-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[patch #3347] Double free and memory loss probing partition table

From: Neal H. Walfield
Subject: [patch #3347] Double free and memory loss probing partition table
Date: Fri, 03 Dec 2004 04:26:52 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041007 Debian/1.7.3-5 
This mail is an automated notification from the patch tracker
 of the project: The GNU Hurd.

/**************************************************************************/
[patch #3347] Latest Modifications:

Changes by: 
                Neal H. Walfield <neal@cs.uml.edu>
'Date: 
                Fri 12/03/04 at 09:20 (GMT)

            What     | Removed                   | Added
---------------------------------------------------------------------------
          Resolution | None                      | Applied
              Status | Open                      | Closed







/**************************************************************************/
[patch #3347] Full Item Snapshot:

URL: <http://savannah.gnu.org/patch/?func=detailitem&item_id=3347>
Project: The GNU Hurd
Submitted by: Neal H. Walfield
On: Tue 09/07/04 at 15:10

Category:  GNU Mach
Priority:  7 - High
Resolution:  Applied
Privacy:  Public
Assigned to:  None
Originator Email:  
Status:  Closed


Summary:  Double free and memory loss probing partition table

Original Submission:  While GNU Mach reads the partition table, the second 
assert in 
linux/dev/glue:free_pages is triggered.  This particular assert checks
for double frees.
I have traced the problem back to getblk and __brelse: if linux_auto_config
is true (which it is when partitions are being probed), a static buffer
is used to hold the BH structure.  If getblk is called a second time
(i.e. before the first block is released), the buffer is overriden.
This results in a double free, a memory leak (as the buffer in the
first BH is never released) and a consistency problem as code which
uses the first buffer will now see different data.  This is the case
in linux/dev/drivers/block/genhd.c:msdos_partition which calls bread
then, before freeing the block, calls extended_partition which also
calls bread.  In reality, there is no reason to not use kalloc and
kfree here.  In kern/statup.c:setup_main, we see that vm_mem_bootstrap
which calls kmem_init is called long before 
linux/dev/init/main.c:linux_init is invoked by 
i386/i386at/machine_init:machine_init.

This attached patch changes getblk and __brelse to always use kalloc
and kfree and adds asserts to kern/kalloc.c to make sure that kalloc,
kfree and kget are only called after kmem_init has been called.

Apply the patch using -p0

ChangeLog:

2004-09-07  Neal H. Walfield  <neal@cs.uml.edu>

        * linux/dev/glue/block.c (__brelse): Unconditionally kfree BH.
        (getblk): Unconditionally kalloc BH.

        * kern/kalloc.c [!NDEBUG] (kalloc_init_called): New static
        variable.
        (kalloc_init): Assert that kalloc_init_called is zero.
        [! NDEBUG] Set kalloc_init_called to 1 on success.
        (kalloc): Assert that kalloc_init_called is non-zero.
        (kget): Likewise.
        (kfree): Likewise.







File Attachments
-------------------

-------------------------------------------------------
Date: Tue 09/07/04 at 15:10  Name: double-free.diff  Size: 3.18KB   By: neal

http://savannah.gnu.org/patch/download.php?item_id=3347&amp;item_file_id=3647






For detailed info, follow this link:
<http://savannah.gnu.org/patch/?func=detailitem&item_id=3347>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]