| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250826231626.218675-2-max.kellermann@ionos.com>
Date: Wed, 27 Aug 2025 01:16:25 +0200
From: Max Kellermann <max.kellermann@...os.com>
To: akpm@...ux-foundation.org,
david@...hat.com,
lorenzo.stoakes@...cle.com,
ziy@...dia.com,
baolin.wang@...ux.alibaba.com,
Liam.Howlett@...cle.com,
npache@...hat.com,
ryan.roberts@....com,
dev.jain@....com,
baohua@...nel.org,
shikemeng@...weicloud.com,
kasong@...cent.com,
nphamcs@...il.com,
bhe@...hat.com,
chrisl@...nel.org,
linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Cc: Max Kellermann <max.kellermann@...os.com>
Subject: [PATCH 2/2] mm/swap: add BUG_ON(folio==NULL) to folios_put_refs()
It is not legal to have NULL pointers in a folio_batch.
However, the Ceph code does exactly this, and a refactoring patch gone
wrong has exposed this to folios_put_refs(), see
https://lore.kernel.org/ceph-devel/aK4v548CId5GIKG1@swift.blarg.de/
I believe this should Oops instead of crashing due to NULL pointer
reference (guarded by is_huge_zero_folio(), which may silently hide
the bug).
Signed-off-by: Max Kellermann <max.kellermann@...os.com>
---
mm/swap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/mm/swap.c b/mm/swap.c
index 3632dd061beb..07ccda00e7ee 100644
--- a/mm/swap.c
+++ b/mm/swap.c
@@ -952,6 +952,7 @@ void folios_put_refs(struct folio_batch *folios, unsigned int *refs)
for (i = 0, j = 0; i < folios->nr; i++) {
struct folio *folio = folios->folios[i];
unsigned int nr_refs = refs ? refs[i] : 1;
+ BUG_ON(folio == NULL);
if (is_huge_zero_folio(folio))
continue;
--
2.47.2
Powered by blists - more mailing lists