lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Fri, 12 Mar 2010 15:41:15 -0800
From:	Ravikiran G Thirumalai <kiran@...lex86.org>
To:	akpm@...ux-foundation.org
Cc:	linux-kernel@...r.kernel.org
Subject: [patch] Oops on tmpfs remounts with mpol=default

One of our customers reported an Oops when trying to remount a tmpfs mount
back with  'default' mempolicy after changing it to a non default policy.

Upon examination of code, I found that the kernel remount code tries to
dereference the 'NULL' mempolicy object returned by mpol_new at
mpol_parse_str.

Attached is the oops snippet.  Please find the proposed fix inline.

Thanks,
Kiran

---

Fix an 'oops' when a tmpfs mount point is remounted with the 'default'
mempolicy.

Upon remounting a tmpfs mount point with 'mpol=default' option, the remount
code crashed with a null pointer dereference.  The initial problem report was
on 2.6.27, but the problem exists in mainline 2.6.34-rc  as well. On
examining the code, we see that mpol_new returns NULL if default mempolicy
was requested.   This 'NULL' mempolicy is accessed to store the node mask
resulting in oops.

The following patch fixes the oops by avoiding dereferencing NULL if the
new mempolicy is NULL.
The patch also sets 'err' to 0 if MPOL_DEFAULT is passed (err is initialized
to 1 initially at mpol_parse_str())


Signed-off-by: Ravikiran Thirumalai <kiran@...lex86.org>

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index bda230e..a86277d 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2213,10 +2213,14 @@ int mpol_parse_str(char *str, struct mempolicy **mpol, int no_context)
 			goto out;
 		mode = MPOL_PREFERRED;
 		break;
-
+	case MPOL_DEFAULT:
+		/*
+		 * mpol_new() enforces empty nodemask, ignores flags.
+		 */
+		err = 0;
+		break;
 	/*
 	 * case MPOL_BIND:    mpol_new() enforces non-empty nodemask.
-	 * case MPOL_DEFAULT: mpol_new() enforces empty nodemask, ignores flags.
 	 */
 	}
 
@@ -2250,7 +2254,7 @@ int mpol_parse_str(char *str, struct mempolicy **mpol, int no_context)
 		if (ret) {
 			err = 1;
 			mpol_put(new);
-		} else if (no_context) {
+		} else if (no_context && new) {
 			/* save for contextualization */
 			new->w.user_nodemask = nodes;
 		}

View attachment "oops" of type "text/plain" (2963 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ