https://github.com/torvalds/linux
Revision f2a9ef880763d7fbd657a3af646e132a90d70d34 authored by Sasha Levin on 25 April 2012, 23:01:52 UTC, committed by Linus Torvalds on 26 April 2012, 04:26:34 UTC
Commit 3268c63 ("mm: fix move/migrate_pages() race on task struct") has
added an odd construct where 'mm' is checked for being NULL, and if it is,
it would get dereferenced anyways by mput()ing it.
This would lead to the following NULL ptr deref and BUG() when calling
migrate_pages() with a pid that has no mm struct:
[25904.193704] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
[25904.194235] IP: [<ffffffff810b0de7>] mmput+0x27/0xf0
[25904.194235] PGD 773e6067 PUD 77da0067 PMD 0
[25904.194235] Oops: 0002 [#1] PREEMPT SMP
[25904.194235] CPU 2
[25904.194235] Pid: 31608, comm: trinity Tainted: G W 3.4.0-rc2-next-20120412-sasha #69
[25904.194235] RIP: 0010:[<ffffffff810b0de7>] [<ffffffff810b0de7>] mmput+0x27/0xf0
[25904.194235] RSP: 0018:ffff880077d49e08 EFLAGS: 00010202
[25904.194235] RAX: 0000000000000286 RBX: 0000000000000000 RCX: 0000000000000000
[25904.194235] RDX: ffff880075ef8000 RSI: 000000000000023d RDI: 0000000000000286
[25904.194235] RBP: ffff880077d49e18 R08: 0000000000000001 R09: 0000000000000001
[25904.194235] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[25904.194235] R13: 00000000ffffffea R14: ffff880034287740 R15: ffff8800218d3010
[25904.194235] FS: 00007fc8b244c700(0000) GS:ffff880029800000(0000) knlGS:0000000000000000
[25904.194235] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[25904.194235] CR2: 0000000000000050 CR3: 00000000767c6000 CR4: 00000000000406e0
[25904.194235] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[25904.194235] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[25904.194235] Process trinity (pid: 31608, threadinfo ffff880077d48000, task ffff880075ef8000)
[25904.194235] Stack:
[25904.194235] ffff8800342876c0 0000000000000000 ffff880077d49f78 ffffffff811b8020
[25904.194235] ffffffff811b7d91 ffff880075ef8000 ffff88002256d200 0000000000000000
[25904.194235] 00000000000003ff 0000000000000000 0000000000000000 0000000000000000
[25904.194235] Call Trace:
[25904.194235] [<ffffffff811b8020>] sys_migrate_pages+0x340/0x3a0
[25904.194235] [<ffffffff811b7d91>] ? sys_migrate_pages+0xb1/0x3a0
[25904.194235] [<ffffffff8266cbb9>] system_call_fastpath+0x16/0x1b
[25904.194235] Code: c9 c3 66 90 55 31 d2 48 89 e5 be 3d 02 00 00 48 83 ec 10 48 89 1c 24 4c 89 64 24 08 48 89 fb 48 c7 c7 cf 0e e1 82 e8 69 18 03 00 <f0> ff 4b 50 0f 94 c0 84 c0 0f 84 aa 00 00 00 48 89 df e8 72 f1
[25904.194235] RIP [<ffffffff810b0de7>] mmput+0x27/0xf0
[25904.194235] RSP <ffff880077d49e08>
[25904.194235] CR2: 0000000000000050
[25904.348999] ---[ end trace a307b3ed40206b4b ]---
Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Cc: Dave Hansen <dave@linux.vnet.ibm.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Christoph Lameter <cl@linux.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 63f61a6
Tip revision: f2a9ef880763d7fbd657a3af646e132a90d70d34 authored by Sasha Levin on 25 April 2012, 23:01:52 UTC
mm: fix NULL ptr dereference in migrate_pages
mm: fix NULL ptr dereference in migrate_pages
Tip revision: f2a9ef8
| File | Mode | Size |
|---|---|---|
| blackfin | ||
| davinci | ||
| adp1653.h | -rw-r--r-- | 4.2 KB |
| adv7183.h | -rw-r--r-- | 1.8 KB |
| adv7343.h | -rw-r--r-- | 730 bytes |
| ak881x.h | -rw-r--r-- | 665 bytes |
| as3645a.h | -rw-r--r-- | 2.4 KB |
| atmel-isi.h | -rw-r--r-- | 3.6 KB |
| bt819.h | -rw-r--r-- | 1.1 KB |
| cs5345.h | -rw-r--r-- | 1.2 KB |
| cs53l32a.h | -rw-r--r-- | 1.2 KB |
| cx2341x.h | -rw-r--r-- | 9.8 KB |
| cx25840.h | -rw-r--r-- | 5.4 KB |
| gpio-ir-recv.h | -rw-r--r-- | 686 bytes |
| i2c-addr.h | -rw-r--r-- | 1.2 KB |
| ir-kbd-i2c.h | -rw-r--r-- | 1.2 KB |
| lirc.h | -rw-r--r-- | 6.3 KB |
| lirc_dev.h | -rw-r--r-- | 5.7 KB |
| m52790.h | -rw-r--r-- | 2.7 KB |
| m5mols.h | -rw-r--r-- | 1.1 KB |
| media-device.h | -rw-r--r-- | 2.9 KB |
| media-devnode.h | -rw-r--r-- | 2.9 KB |
| media-entity.h | -rw-r--r-- | 4.6 KB |
| mmp-camera.h | -rw-r--r-- | 179 bytes |
| msp3400.h | -rw-r--r-- | 8.3 KB |
| mt9m032.h | -rw-r--r-- | 1.1 KB |
| mt9p031.h | -rw-r--r-- | 467 bytes |
| mt9t001.h | -rw-r--r-- | 118 bytes |
| mt9t112.h | -rw-r--r-- | 690 bytes |
| mt9v011.h | -rw-r--r-- | 384 bytes |
| mt9v032.h | -rw-r--r-- | 207 bytes |
| noon010pc30.h | -rw-r--r-- | 727 bytes |
| omap1_camera.h | -rw-r--r-- | 880 bytes |
| omap3isp.h | -rw-r--r-- | 3.8 KB |
| ov7670.h | -rw-r--r-- | 476 bytes |
| ov772x.h | -rw-r--r-- | 1.4 KB |
| radio-si4713.h | -rw-r--r-- | 684 bytes |
| rc-core.h | -rw-r--r-- | 7.4 KB |
| rc-map.h | -rw-r--r-- | 7.6 KB |
| rj54n1cb0c.h | -rw-r--r-- | 425 bytes |
| s5k6aa.h | -rw-r--r-- | 1.4 KB |
| s5p_fimc.h | -rw-r--r-- | 2.0 KB |
| s5p_hdmi.h | -rw-r--r-- | 927 bytes |
| saa6588.h | -rw-r--r-- | 1.3 KB |
| saa6752hs.h | -rw-r--r-- | 887 bytes |
| saa7115.h | -rw-r--r-- | 2.0 KB |
| saa7127.h | -rw-r--r-- | 1.2 KB |
| saa7146.h | -rw-r--r-- | 17.6 KB |
| saa7146_vv.h | -rw-r--r-- | 7.4 KB |
| sh_mobile_ceu.h | -rw-r--r-- | 660 bytes |
| sh_mobile_csi2.h | -rw-r--r-- | 963 bytes |
| sh_vou.h | -rw-r--r-- | 716 bytes |
| si4713.h | -rw-r--r-- | 1.4 KB |
| sii9234.h | -rw-r--r-- | 590 bytes |
| soc_camera.h | -rw-r--r-- | 9.7 KB |
| soc_camera_platform.h | -rw-r--r-- | 1.7 KB |
| soc_mediabus.h | -rw-r--r-- | 2.7 KB |
| sr030pc30.h | -rw-r--r-- | 628 bytes |
| timb_radio.h | -rw-r--r-- | 994 bytes |
| timb_video.h | -rw-r--r-- | 1.0 KB |
| tuner-types.h | -rw-r--r-- | 4.6 KB |
| tuner.h | -rw-r--r-- | 7.5 KB |
| tvaudio.h | -rw-r--r-- | 1.4 KB |
| tveeprom.h | -rw-r--r-- | 828 bytes |
| tvp514x.h | -rw-r--r-- | 2.9 KB |
| tvp5150.h | -rw-r--r-- | 1.0 KB |
| tvp7002.h | -rw-r--r-- | 1.9 KB |
| tw9910.h | -rw-r--r-- | 784 bytes |
| upd64031a.h | -rw-r--r-- | 1.3 KB |
| upd64083.h | -rw-r--r-- | 2.2 KB |
| v4l2-chip-ident.h | -rw-r--r-- | 9.1 KB |
| v4l2-common.h | -rw-r--r-- | 7.7 KB |
| v4l2-ctrls.h | -rw-r--r-- | 20.4 KB |
| v4l2-dev.h | -rw-r--r-- | 6.2 KB |
| v4l2-device.h | -rw-r--r-- | 7.1 KB |
| v4l2-event.h | -rw-r--r-- | 4.4 KB |
| v4l2-fh.h | -rw-r--r-- | 3.2 KB |
| v4l2-int-device.h | -rw-r--r-- | 7.7 KB |
| v4l2-ioctl.h | -rw-r--r-- | 12.8 KB |
| v4l2-mediabus.h | -rw-r--r-- | 3.5 KB |
| v4l2-mem2mem.h | -rw-r--r-- | 6.3 KB |
| v4l2-subdev.h | -rw-r--r-- | 23.9 KB |
| videobuf-core.h | -rw-r--r-- | 7.1 KB |
| videobuf-dma-contig.h | -rw-r--r-- | 1.0 KB |
| videobuf-dma-sg.h | -rw-r--r-- | 3.3 KB |
| videobuf-dvb.h | -rw-r--r-- | 1.8 KB |
| videobuf-vmalloc.h | -rw-r--r-- | 1.3 KB |
| videobuf2-core.h | -rw-r--r-- | 14.6 KB |
| videobuf2-dma-contig.h | -rw-r--r-- | 839 bytes |
| videobuf2-dma-sg.h | -rw-r--r-- | 816 bytes |
| videobuf2-memops.h | -rw-r--r-- | 1.3 KB |
| videobuf2-vmalloc.h | -rw-r--r-- | 509 bytes |
| wm8775.h | -rw-r--r-- | 1.4 KB |
Computing file changes ...
