grsecurity forums

Hello,

I get a kernel panic (kernel BUG at mm/vmalloc.c:1603!) with the above patch on a 32 bit VirtualBox 4.3.24 system. It occurs right after loading the "loop" module which was the only module loaded at the time of the crash. When I removed the loop modules from the kernel and booted again, I get the same error with serio_raw and hwmon modules loaded.

Linux kernel 3.19.1 without the grsecurity patch boots without issue.

I can't get a netconsole dump (I think the panic occurs to early in the boot process)

My config file, System.map, kernel and a PNM file of the crash screen are in these files:

https://home.comcast.net/~x14sg1/config ... -grsec-smp
https://home.comcast.net/~x14sg1/System ... -grsec-smp
https://home.comcast.net/~x14sg1/vmlinu ... -grsec-smp
https://home.comcast.net/~x14sg1/crash.pnm

If you need anything else, please let me know.

A small netbook also crashes with this kernel/patch with a similar but much longer stack trace

the module unload code can now get called in irq context which vunmap isn't prepared to handle, i'll have to figure out something for this case...

can you test the following patch please:

Code: Select all

--- a/mm/vmalloc.c        2015-03-02 03:15:08.425044776 +0100
+++ b/mm/vmalloc.c        2015-03-11 01:07:26.923842142 +0100
@@ -39,10 +39,11 @@
        struct work_struct wq;
 };
 static DEFINE_PER_CPU(struct vfree_deferred, vfree_deferred);
+static DEFINE_PER_CPU(struct vfree_deferred, vunmap_deferred);

 static void __vunmap(const void *, int);

-static void free_work(struct work_struct *w)
+static void vfree_work(struct work_struct *w)
 {
        struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
        struct llist_node *llnode = llist_del_all(&p->list);
@@ -53,6 +54,17 @@
        }
 }

+static void vunmap_work(struct work_struct *w)
+{
+       struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
+       struct llist_node *llnode = llist_del_all(&p->list);
+       while (llnode) {
+               void *p = llnode;
+               llnode = llist_next(llnode);
+               __vunmap(p, 0);
+       }
+}
+
 /*** Page table manipulation functions ***/

 static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
@@ -1222,9 +1234,14 @@
                vbq = &per_cpu(vmap_block_queue, i);
                spin_lock_init(&vbq->lock);
                INIT_LIST_HEAD(&vbq->free);
+
                p = &per_cpu(vfree_deferred, i);
                init_llist_head(&p->list);
-               INIT_WORK(&p->wq, free_work);
+               INIT_WORK(&p->wq, vfree_work);
+
+               p = &per_cpu(vunmap_deferred, i);
+               init_llist_head(&p->list);
+               INIT_WORK(&p->wq, vunmap_work);
        }

        /* Import existing vmlist entries. */
@@ -1557,10 +1574,17 @@
  */
 void vunmap(const void *addr)
 {
-       BUG_ON(in_interrupt());
-       might_sleep();
-       if (addr)
+       if (!addr)
+               return;
+
+       if (unlikely(in_interrupt())) {
+               struct vfree_deferred *p = this_cpu_ptr(&vunmap_deferred);
+               if (llist_add((struct llist_node *)addr, &p->list))
+                       schedule_work(&p->wq);
+       } else {
+               might_sleep();
                __vunmap(addr, 0);
+       }
 }
 EXPORT_SYMBOL(vunmap);

@@ -2554,7 +2578,7 @@
        /* insert all vm's */
        for (area = 0; area < nr_vms; area++)
                setup_vmalloc_vm(vms[area], vas[area], VM_ALLOC,
-                                __builtin_return_address(0));
+                                pcpu_get_vm_areas);

        kfree(vas);
        return vms;


Hello,

I am unsure how to proceed with the patch above. It doesn't appear to be against source already patched with the grsecurity patch and I do not think it is supposed to replace the mm/vmalloc.c section in the grsecurity patch.

it's whitespace damaged (use "patch -l") but otherwise it applies on top of PaX and it should apply to grsec with perhaps trivial changes as well.

Hello,

Your small patch has eliminated the kernel panic and I as able to "rmmod loop"

Thanks