https://github.com/torvalds/linux
Revision 2b472611a32a72f4a118c069c2d62a1a3f087afd authored by Hugh Dickins on 15 June 2011, 22:08:58 UTC, committed by Linus Torvalds on 16 June 2011, 03:04:02 UTC
Andrea Righi reported a case where an exiting task can race against ksmd::scan_get_next_rmap_item (http://lkml.org/lkml/2011/6/1/742) easily triggering a NULL pointer dereference in ksmd. ksm_scan.mm_slot == &ksm_mm_head with only one registered mm CPU 1 (__ksm_exit) CPU 2 (scan_get_next_rmap_item) list_empty() is false lock slot == &ksm_mm_head list_del(slot->mm_list) (list now empty) unlock lock slot = list_entry(slot->mm_list.next) (list is empty, so slot is still ksm_mm_head) unlock slot->mm == NULL ... Oops Close this race by revalidating that the new slot is not simply the list head again. Andrea's test case: #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/mman.h> #define BUFSIZE getpagesize() int main(int argc, char **argv) { void *ptr; if (posix_memalign(&ptr, getpagesize(), BUFSIZE) < 0) { perror("posix_memalign"); exit(1); } if (madvise(ptr, BUFSIZE, MADV_MERGEABLE) < 0) { perror("madvise"); exit(1); } *(char *)NULL = 0; return 0; } Reported-by: Andrea Righi <andrea@betterlinux.com> Tested-by: Andrea Righi <andrea@betterlinux.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Signed-off-by: Hugh Dickins <hughd@google.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent c7cbb02
Tip revision: 2b472611a32a72f4a118c069c2d62a1a3f087afd authored by Hugh Dickins on 15 June 2011, 22:08:58 UTC
ksm: fix NULL pointer dereference in scan_get_next_rmap_item()
ksm: fix NULL pointer dereference in scan_get_next_rmap_item()
Tip revision: 2b47261
File | Mode | Size |
---|---|---|
Documentation | ||
arch | ||
block | ||
crypto | ||
drivers | ||
firmware | ||
fs | ||
include | ||
init | ||
ipc | ||
kernel | ||
lib | ||
mm | ||
net | ||
samples | ||
scripts | ||
security | ||
sound | ||
tools | ||
usr | ||
virt | ||
.gitignore | -rw-r--r-- | 966 bytes |
.mailmap | -rw-r--r-- | 4.2 KB |
COPYING | -rw-r--r-- | 18.3 KB |
CREDITS | -rw-r--r-- | 92.3 KB |
Kbuild | -rw-r--r-- | 2.4 KB |
Kconfig | -rw-r--r-- | 252 bytes |
MAINTAINERS | -rw-r--r-- | 189.9 KB |
Makefile | -rw-r--r-- | 52.2 KB |
README | -rw-r--r-- | 17.1 KB |
REPORTING-BUGS | -rw-r--r-- | 3.3 KB |
Computing file changes ...