From: Jamie Iles <jamie.iles@oracle.com>
Date: Fri, 5 Jan 2018 18:13:10 +0000 (+0000)
Subject: x86/ldt: fix crash in ldt freeing.
X-Git-Tag: v4.1.12-124.31.3~1305
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=16da9df01fec3cee6d0ebf1f08e61d9a2cf89415;p=users%2Fjedix%2Flinux-maple.git

x86/ldt: fix crash in ldt freeing.

94b1f3e2c4b7 (kaiser: merged update) factored out __free_ldt_struct() to
use vfree/free_page, but in the page allocation case it is actually
allocated with kmalloc so needs to be freed with kfree and not
free_page().

Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
Orabug: 27333760
CVE: CVE-2017-5754
Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
---

diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
index 5797d437710db..17ad4e1929a40 100644
--- a/arch/x86/kernel/ldt.c
+++ b/arch/x86/kernel/ldt.c
@@ -39,7 +39,7 @@ static void __free_ldt_struct(struct ldt_struct *ldt)
 	if (ldt->size * LDT_ENTRY_SIZE > PAGE_SIZE)
 		vfree(ldt->entries);
 	else
-		free_page((unsigned long)ldt->entries);
+		kfree((unsigned long)ldt->entries);
 	kfree(ldt);
 }