]> www.infradead.org Git - users/jedix/linux-maple.git/commitdiff
projects / users / jedix / linux-maple.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 40ce0c3)
x86/ldt: fix crash in ldt freeing.
authorJamie Iles <jamie.iles@oracle.com>
Fri, 5 Jan 2018 18:13:10 +0000 (18:13 +0000)
committerKirtikar Kashyap <kirtikar.kashyap@oracle.com>
Fri, 12 Jan 2018 18:20:11 +0000 (10:20 -0800)
94b1f3e2c4b7 (kaiser: merged update) factored out __free_ldt_struct() to
use vfree/free_page, but in the page allocation case it is actually
allocated with kmalloc so needs to be freed with kfree and not
free_page().

Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
Orabug: 27333760
CVE: CVE-2017-5754
Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
arch/x86/kernel/ldt.c patch | blob | history

diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 5797d437710db7eba995bae6f0cdb432f697ef80..17ad4e1929a40d9f89947baf26e1ee51406bd182 100644 (file)
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -39,7 +39,7 @@ static void __free_ldt_struct(struct ldt_struct *ldt)
        if (ldt->size * LDT_ENTRY_SIZE > PAGE_SIZE)
                vfree(ldt->entries);
        else
-               free_page((unsigned long)ldt->entries);
+               kfree((unsigned long)ldt->entries);
        kfree(ldt);
 }
 
Unnamed repository; edit this file 'description' to name the repository.