| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Jul 2022 17:07:00 +0800
From: tujinjiang@...edance.com
To: akpm@...ux-foundation.org
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
Jinjiang Tu <tujinjiang@...edance.com>
Subject: [PATCH] vmscan: fix potential arbitrary pointer passed to kfree in unregister_shrinker
From: Jinjiang Tu <tujinjiang@...edance.com>
when shrinker is registered with SHRINKER_MEMCG_AWARE flag,
register_shrinker will not initialize shrinker->nr_deferred,
but the pointer will be passed to kfree in unregister_shrinker
when the shrinker is unregistered. This leads to kernel crash
when the shrinker object is dynamically allocated.
To fix it, this patch initialize shrinker->nr_deferred at the
beginning of prealloc_shrinker.
Signed-off-by: Jinjiang Tu <tujinjiang@...edance.com>
---
mm/vmscan.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/vmscan.c b/mm/vmscan.c
index f7d9a683e3a7..06ab5a398971 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -613,6 +613,7 @@ int prealloc_shrinker(struct shrinker *shrinker)
unsigned int size;
int err;
+ shrinker->nr_deferred = NULL;
if (shrinker->flags & SHRINKER_MEMCG_AWARE) {
err = prealloc_memcg_shrinker(shrinker);
if (err != -ENOSYS)
--
2.17.1
Powered by blists - more mailing lists