Re: mpol_to_str revisited.

From: Dave Jones
Date: Mon Oct 08 2012 - 11:15:56 EST

Next message: Mel Gorman: "Re: [PATCH] mm: memmap_init_zone() performance improvement"
Previous message: Dave Jones: "mpol_to_str revisited."
In reply to: Dave Jones: "mpol_to_str revisited."
Next in thread: David Rientjes: "Re: mpol_to_str revisited."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 08, 2012 at 11:09:49AM -0400, Dave Jones wrote:
> Last month I sent in 80de7c3138ee9fd86a98696fd2cf7ad89b995d0a to remove
> a user triggerable BUG in mempolicy.
>
> Ben Hutchings pointed out to me that my change introduced a potential leak
> of stack contents to userspace, because none of the callers check the return value.
>
> This patch adds the missing return checking, and also clears the buffer beforehand.
>
> Reported-by: Ben Hutchings <bhutchings@xxxxxxxxxxxxxx>
> Cc: stable@xxxxxxxxxx
> Signed-off-by: Dave Jones <davej@xxxxxxxxxx>
>
> ---
> unanswered question: why are the buffer sizes here different ? which is correct?

A further unanswered question is how the state got so screwed up that we hit that
default case at all. Looking at the original report: https://lkml.org/lkml/2012/9/6/356
What's in RAX looks suspiciously like left-over slab poison.

If pol->mode was poisoned, that smells like we have a race where policy is getting freed
while another process is reading it.

Am I missing something, or is there no locking around that at all ?

Dave

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mel Gorman: "Re: [PATCH] mm: memmap_init_zone() performance improvement"
Previous message: Dave Jones: "mpol_to_str revisited."
In reply to: Dave Jones: "mpol_to_str revisited."
Next in thread: David Rientjes: "Re: mpol_to_str revisited."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]