Revision a67adb997419fb53540d4a4f79c6471c60bc69b6 authored by Dmitry Kasatkin on 18 January 2013, 21:56:39 UTC, committed by James Morris on 21 January 2013, 13:27:50 UTC
The following lines of code produce a kernel oops. fd = socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); fchmod(fd, 0666); [ 139.922364] BUG: unable to handle kernel NULL pointer dereference at (null) [ 139.924982] IP: [< (null)>] (null) [ 139.924982] *pde = 00000000 [ 139.924982] Oops: 0000 [#5] SMP [ 139.924982] Modules linked in: fuse dm_crypt dm_mod i2c_piix4 serio_raw evdev binfmt_misc button [ 139.924982] Pid: 3070, comm: acpid Tainted: G D 3.8.0-rc2-kds+ #465 Bochs Bochs [ 139.924982] EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0 [ 139.924982] EIP is at 0x0 [ 139.924982] EAX: cf5ef000 EBX: cf5ef000 ECX: c143d600 EDX: c15225f2 [ 139.924982] ESI: cf4d2a1c EDI: cf4d2a1c EBP: cc02df10 ESP: cc02dee4 [ 139.924982] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 139.924982] CR0: 80050033 CR2: 00000000 CR3: 0c059000 CR4: 000006d0 [ 139.924982] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 139.924982] DR6: ffff0ff0 DR7: 00000400 [ 139.924982] Process acpid (pid: 3070, ti=cc02c000 task=d7705340 task.ti=cc02c000) [ 139.924982] Stack: [ 139.924982] c1203c88 00000000 cc02def4 cf4d2a1c ae21eefa 471b60d5 1083c1ba c26a5940 [ 139.924982] e891fb5e 00000041 00000004 cc02df1c c1203964 00000000 cc02df4c c10e20c3 [ 139.924982] 00000002 00000000 00000000 22222222 c1ff2222 cf5ef000 00000000 d76efb08 [ 139.924982] Call Trace: [ 139.924982] [<c1203c88>] ? evm_update_evmxattr+0x5b/0x62 [ 139.924982] [<c1203964>] evm_inode_post_setattr+0x22/0x26 [ 139.924982] [<c10e20c3>] notify_change+0x25f/0x281 [ 139.924982] [<c10cbf56>] chmod_common+0x59/0x76 [ 139.924982] [<c10e27a1>] ? put_unused_fd+0x33/0x33 [ 139.924982] [<c10cca09>] sys_fchmod+0x39/0x5c [ 139.924982] [<c13f4f30>] syscall_call+0x7/0xb [ 139.924982] Code: Bad EIP value. This happens because sockets do not define the removexattr operation. Before removing the xattr, verify the removexattr function pointer is not NULL. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org Signed-off-by: James Morris <james.l.morris@oracle.com>
1 parent 9a92841
| File | Mode | Size |
|---|---|---|
| Kconfig | -rw-r--r-- | 15.0 KB |
| Kconfig.debug | -rw-r--r-- | 1015 bytes |
| Makefile | -rw-r--r-- | 2.0 KB |
| backing-dev.c | -rw-r--r-- | 21.2 KB |
| balloon_compaction.c | -rw-r--r-- | 9.6 KB |
| bootmem.c | -rw-r--r-- | 21.1 KB |
| bounce.c | -rw-r--r-- | 6.6 KB |
| cleancache.c | -rw-r--r-- | 6.5 KB |
| compaction.c | -rw-r--r-- | 32.4 KB |
| debug-pagealloc.c | -rw-r--r-- | 2.1 KB |
| dmapool.c | -rw-r--r-- | 13.1 KB |
| fadvise.c | -rw-r--r-- | 3.6 KB |
| failslab.c | -rw-r--r-- | 1.3 KB |
| filemap.c | -rw-r--r-- | 67.3 KB |
| filemap_xip.c | -rw-r--r-- | 11.3 KB |
| fremap.c | -rw-r--r-- | 6.8 KB |
| frontswap.c | -rw-r--r-- | 10.3 KB |
| highmem.c | -rw-r--r-- | 9.9 KB |
| huge_memory.c | -rw-r--r-- | 73.7 KB |
| hugetlb.c | -rw-r--r-- | 82.4 KB |
| hugetlb_cgroup.c | -rw-r--r-- | 10.7 KB |
| hwpoison-inject.c | -rw-r--r-- | 3.3 KB |
| init-mm.c | -rw-r--r-- | 619 bytes |
| internal.h | -rw-r--r-- | 11.1 KB |
| interval_tree.c | -rw-r--r-- | 3.2 KB |
| kmemcheck.c | -rw-r--r-- | 2.8 KB |
| kmemleak-test.c | -rw-r--r-- | 3.3 KB |
| kmemleak.c | -rw-r--r-- | 52.5 KB |
| ksm.c | -rw-r--r-- | 55.2 KB |
| maccess.c | -rw-r--r-- | 1.6 KB |
| madvise.c | -rw-r--r-- | 11.9 KB |
| memblock.c | -rw-r--r-- | 29.1 KB |
| memcontrol.c | -rw-r--r-- | 178.6 KB |
| memory-failure.c | -rw-r--r-- | 42.3 KB |
| memory.c | -rw-r--r-- | 113.9 KB |
| memory_hotplug.c | -rw-r--r-- | 35.7 KB |
| mempolicy.c | -rw-r--r-- | 70.9 KB |
| mempool.c | -rw-r--r-- | 10.5 KB |
| migrate.c | -rw-r--r-- | 44.3 KB |
| mincore.c | -rw-r--r-- | 7.8 KB |
| mlock.c | -rw-r--r-- | 15.5 KB |
| mm_init.c | -rw-r--r-- | 3.7 KB |
| mmap.c | -rw-r--r-- | 80.6 KB |
| mmu_context.c | -rw-r--r-- | 1.4 KB |
| mmu_notifier.c | -rw-r--r-- | 9.4 KB |
| mmzone.c | -rw-r--r-- | 1.9 KB |
| mprotect.c | -rw-r--r-- | 10.2 KB |
| mremap.c | -rw-r--r-- | 14.3 KB |
| msync.c | -rw-r--r-- | 2.4 KB |
| nobootmem.c | -rw-r--r-- | 11.2 KB |
| nommu.c | -rw-r--r-- | 51.3 KB |
| oom_kill.c | -rw-r--r-- | 19.4 KB |
| page-writeback.c | -rw-r--r-- | 69.1 KB |
| page_alloc.c | -rw-r--r-- | 169.5 KB |
| page_cgroup.c | -rw-r--r-- | 11.9 KB |
| page_io.c | -rw-r--r-- | 6.8 KB |
| page_isolation.c | -rw-r--r-- | 7.0 KB |
| pagewalk.c | -rw-r--r-- | 5.7 KB |
| percpu-km.c | -rw-r--r-- | 2.8 KB |
| percpu-vm.c | -rw-r--r-- | 12.9 KB |
| percpu.c | -rw-r--r-- | 57.1 KB |
| pgtable-generic.c | -rw-r--r-- | 4.6 KB |
| process_vm_access.c | -rw-r--r-- | 13.3 KB |
| quicklist.c | -rw-r--r-- | 2.4 KB |
| readahead.c | -rw-r--r-- | 16.1 KB |
| rmap.c | -rw-r--r-- | 51.6 KB |
| shmem.c | -rw-r--r-- | 76.8 KB |
| slab.c | -rw-r--r-- | 117.7 KB |
| slab.h | -rw-r--r-- | 6.2 KB |
| slab_common.c | -rw-r--r-- | 11.1 KB |
| slob.c | -rw-r--r-- | 15.3 KB |
| slub.c | -rw-r--r-- | 129.0 KB |
| sparse-vmemmap.c | -rw-r--r-- | 5.9 KB |
| sparse.c | -rw-r--r-- | 20.7 KB |
| swap.c | -rw-r--r-- | 23.1 KB |
| swap_state.c | -rw-r--r-- | 10.3 KB |
| swapfile.c | -rw-r--r-- | 63.1 KB |
| truncate.c | -rw-r--r-- | 18.3 KB |
| util.c | -rw-r--r-- | 9.1 KB |
| vmalloc.c | -rw-r--r-- | 66.0 KB |
| vmscan.c | -rw-r--r-- | 99.7 KB |
| vmstat.c | -rw-r--r-- | 33.9 KB |
Computing file changes ...
