From: Peter Xu <peterx@redhat.com>
To: linux-kernel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>,
peterx@redhat.com,
syzbot+693dc11fcb53120b5559@syzkaller.appspotmail.com
Subject: [PATCH 1/2] mm/mempolicy: Allow lookup_node() to handle fatal signal
Date: Tue, 7 Apr 2020 21:40:09 -0400 [thread overview]
Message-ID: <20200408014010.80428-2-peterx@redhat.com> (raw)
In-Reply-To: <20200408014010.80428-1-peterx@redhat.com>
lookup_node() uses gup to pin the page and get node information. It
checks against ret>=0 assuming the page will be filled in. However
it's also possible that gup will return zero, for example, when the
thread is quickly killed with a fatal signal. Teach lookup_node() to
gracefully return an error -EFAULT if it happens.
Meanwhile, initialize "page" to NULL to avoid potential risk of
exploiting the pointer.
Reported-by: syzbot+693dc11fcb53120b5559@syzkaller.appspotmail.com
Fixes: 4426e945df58 ("mm/gup: allow VM_FAULT_RETRY for multiple times")
Signed-off-by: Peter Xu <peterx@redhat.com>
---
mm/mempolicy.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 5fb427aed612..c7ca6a808fb1 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -897,12 +897,15 @@ static void get_policy_nodemask(struct mempolicy *p, nodemask_t *nodes)
static int lookup_node(struct mm_struct *mm, unsigned long addr)
{
- struct page *p;
+ struct page *p = NULL;
int err;
int locked = 1;
err = get_user_pages_locked(addr & PAGE_MASK, 1, 0, &p, &locked);
- if (err >= 0) {
+ if (err == 0) {
+ /* E.g. GUP interrupted by fatal signal */
+ err = -EFAULT;
+ } else if (err > 0) {
err = page_to_nid(p);
put_page(p);
}
--
2.24.1
next prev parent reply other threads:[~2020-04-08 1:40 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 1:40 [PATCH 0/2] mm: Two small fixes for recent syzbot reports Peter Xu
2020-04-08 1:40 ` Peter Xu [this message]
2020-04-08 10:21 ` [PATCH 1/2] mm/mempolicy: Allow lookup_node() to handle fatal signal Michal Hocko
2020-04-08 14:20 ` Peter Xu
2020-04-08 14:30 ` Michal Hocko
2020-04-08 15:24 ` Peter Xu
2020-04-08 15:26 ` Michal Hocko
2020-04-09 7:02 ` Michal Hocko
2020-04-09 12:52 ` Peter Xu
2020-04-09 13:00 ` Peter Xu
2020-04-09 13:53 ` Michal Hocko
2020-04-09 16:42 ` Linus Torvalds
2020-04-09 16:42 ` Linus Torvalds
2020-04-14 11:04 ` Michal Hocko
2020-04-14 13:49 ` Peter Xu
2020-04-14 14:18 ` Michal Hocko
2020-04-20 12:47 ` Michal Hocko
2020-04-20 17:31 ` Linus Torvalds
2020-04-20 17:31 ` Linus Torvalds
2020-04-21 7:09 ` Michal Hocko
2020-04-08 1:40 ` [PATCH 2/2] mm/gup: Mark lock taken only after a successful retake Peter Xu
2020-04-09 0:47 ` [PATCH 0/2] mm: Two small fixes for recent syzbot reports Andrew Morton
2020-04-09 11:49 ` Matthew Wilcox
2020-04-09 13:00 ` Dmitry Vyukov
2020-04-09 13:00 ` Dmitry Vyukov
2020-04-09 18:16 ` Andrew Morton
2020-04-09 18:53 ` Linus Torvalds
2020-04-09 18:53 ` Linus Torvalds
2020-04-09 19:12 ` Andrew Morton
2020-04-09 19:46 ` Linus Torvalds
2020-04-09 19:46 ` Linus Torvalds
2020-04-09 19:56 ` Matthew Wilcox
2020-04-09 19:58 ` Linus Torvalds
2020-04-09 19:58 ` Linus Torvalds
2020-04-09 20:27 ` Eric Biggers
2020-04-09 20:34 ` Linus Torvalds
2020-04-09 20:34 ` Linus Torvalds
2020-04-09 23:34 ` Stephen Rothwell
2020-04-10 1:11 ` Theodore Y. Ts'o
2020-04-09 12:55 ` Dmitry Vyukov
2020-04-09 12:55 ` Dmitry Vyukov
2020-04-09 16:32 ` Linus Torvalds
2020-04-09 16:32 ` Linus Torvalds
2020-04-09 16:58 ` Qian Cai
2020-04-09 17:05 ` Linus Torvalds
2020-04-09 17:05 ` Linus Torvalds
2020-04-09 17:58 ` Qian Cai
2020-04-09 18:06 ` Linus Torvalds
2020-04-09 18:06 ` Linus Torvalds
2020-04-09 21:14 ` Qian Cai
2020-04-10 13:12 ` Tetsuo Handa
2020-04-10 14:26 ` Qian Cai
2020-04-10 17:26 ` Andrew Morton
2020-04-10 19:46 ` Qian Cai
2020-04-09 23:29 ` Stephen Rothwell
2020-04-13 22:06 ` Qian Cai
2020-04-13 23:05 ` Jens Axboe
2020-04-14 11:12 ` Dmitry Vyukov
2020-04-14 11:12 ` Dmitry Vyukov
2020-04-14 11:59 ` Qian Cai
2020-04-14 12:05 ` Dmitry Vyukov
2020-04-14 12:05 ` Dmitry Vyukov
2020-04-14 19:28 ` Dan Rue
2020-04-15 11:09 ` Dmitry Vyukov
2020-04-15 11:09 ` Dmitry Vyukov
2020-04-15 16:23 ` Dan Rue
2020-04-16 0:34 ` Stephen Rothwell
2020-05-11 15:29 ` Dmitry Vyukov
2020-05-11 15:29 ` Dmitry Vyukov
2020-04-14 4:07 ` Hillf Danton
2020-04-14 4:31 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200408014010.80428-2-peterx@redhat.com \
--to=peterx@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzbot+693dc11fcb53120b5559@syzkaller.appspotmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.