| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHmME9qBtUuOSEU3Cb9rL7SHaBAwk862VEPdmYcisnSHDERtvQ@mail.gmail.com>
Date: Mon, 28 Sep 2020 12:17:58 +0200
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: Jason Gunthorpe <jgg@...pe.ca>, Peter Xu <peterx@...hat.com>,
Linus Torvalds <torvalds@...ux-foundation.org>
Cc: intel-gfx@...ts.freedesktop.org,
"open list:DRM DRIVERS" <dri-devel@...ts.freedesktop.org>,
open list <linux-kernel@...r.kernel.org>,
Chris Wilson <chris@...is-wilson.co.uk>,
Linux-MM <linux-mm@...ck.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: 5.9-rc7 null ptr deref in __i915_gem_userptr_get_pages_worker
Alright, the failing code seems to be in mm:
if (flags & FOLL_PIN)
atomic_set(¤t->mm->has_pinned, 1);
Apparently you can't rely on current->mm being valid in this context;
it's null here, hence the +0x64 for has_pinned's offset.
This was added by 008cfe4418b3 ("mm: Introduce mm_struct.has_pinned"),
which is new for rc7 indeed.
The crash goes away when changing that to:
if ((flags & FOLL_PIN) && current->mm)
atomic_set(¤t->mm->has_pinned, 1);
But I haven't really evaluated whether or not that's racy or if I need
to take locks to do such a thing.
Powered by blists - more mailing lists