From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Dave Hansen <dave@linux.vnet.ibm.com>,
Dave Jones <davej@redhat.com>, Mel Gorman <mel@csn.ul.ie>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Christoph Lameter <cl@linux.com>,
Andrea Arcangeli <aarcange@redhat.com>
Subject: [ 34/82] mm: fix vma_resv_map() NULL pointer
Date: Fri, 08 Jun 2012 05:19:14 +0100 [thread overview]
Message-ID: <20120608041845.412874384@decadent.org.uk> (raw)
In-Reply-To: <20120608041840.861504477@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave@linux.vnet.ibm.com>
commit 4523e1458566a0e8ecfaff90f380dd23acc44d27 upstream.
hugetlb_reserve_pages() can be used for either normal file-backed
hugetlbfs mappings, or MAP_HUGETLB. In the MAP_HUGETLB, semi-anonymous
mode, there is not a VMA around. The new call to resv_map_put() assumed
that there was, and resulted in a NULL pointer dereference:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
IP: vma_resv_map+0x9/0x30
PGD 141453067 PUD 1421e1067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
...
Pid: 14006, comm: trinity-child6 Not tainted 3.4.0+ #36
RIP: vma_resv_map+0x9/0x30
...
Process trinity-child6 (pid: 14006, threadinfo ffff8801414e0000, task ffff8801414f26b0)
Call Trace:
resv_map_put+0xe/0x40
hugetlb_reserve_pages+0xa6/0x1d0
hugetlb_file_setup+0x102/0x2c0
newseg+0x115/0x360
ipcget+0x1ce/0x310
sys_shmget+0x5a/0x60
system_call_fastpath+0x16/0x1b
This was reported by Dave Jones, but was reproducible with the
libhugetlbfs test cases, so shame on me for not running them in the
first place.
With this, the oops is gone, and the output of libhugetlbfs's
run_tests.py is identical to plain 3.4 again.
[ Marked for stable, since this was introduced by commit c50ac050811d
("hugetlb: fix resv_map leak in error path") which was also marked for
stable ]
Reported-by: Dave Jones <davej@redhat.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/hugetlb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 285a81e..e198831 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3036,7 +3036,8 @@ int hugetlb_reserve_pages(struct inode *inode,
region_add(&inode->i_mapping->private_list, from, to);
return 0;
out_err:
- resv_map_put(vma);
+ if (vma)
+ resv_map_put(vma);
return ret;
}
next prev parent reply other threads:[~2012-06-08 4:19 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-08 4:18 [ 00/82] 3.2.20-stable review Ben Hutchings
2012-06-08 4:18 ` [ 01/82] iommu/amd: Add workaround for event log erratum Ben Hutchings
2012-06-08 4:18 ` [ 02/82] MIPS: BCM63XX: Add missing include for bcm63xx_gpio.h Ben Hutchings
2012-06-08 4:18 ` [ 03/82] cifs: Include backup intent search flags during searches {try #2) Ben Hutchings
2012-06-08 4:18 ` [ 04/82] sunrpc: fix loss of task->tk_status after rpc_delay call in xprt_alloc_slot Ben Hutchings
2012-06-08 4:18 ` [ 05/82] exofs: Fix CRASH on very early IO errors Ben Hutchings
2012-06-08 4:18 ` [ 06/82] cifs: fix oops while traversing open file list (try #4) Ben Hutchings
2012-06-08 4:18 ` [ 07/82] [SCSI] Fix dm-multipath starvation when scsi host is busy Ben Hutchings
2012-06-08 4:18 ` [ 08/82] ixp4xx: fix compilation by adding gpiolib support Ben Hutchings
2012-06-08 4:18 ` [ 09/82] drm/i915: properly handle interlaced bit for sdvo dtd conversion Ben Hutchings
2012-06-08 4:18 ` [ 10/82] drm/i915: enable vdd when switching off the eDP panel Ben Hutchings
2012-06-08 4:18 ` [ 11/82] drm/i915: Add Clientron E830 to the ignore LVDS list Ben Hutchings
2012-06-08 4:18 ` [ 12/82] drm/i915: Ignore LVDS on hp t5745 and hp st5747 thin client Ben Hutchings
2012-06-08 4:18 ` [ 13/82] drm/i915: no lvds quirk for HP t5740e Thin Client Ben Hutchings
2012-06-08 4:18 ` [ 14/82] drm/i915: wait for a vblank to pass after tv detect Ben Hutchings
2012-06-08 4:18 ` [ 15/82] drm/i915: Update GEN6_RP_CONTROL definitions Ben Hutchings
2012-06-08 4:18 ` [ 16/82] drm/i915: always use RPNSWREQ for turbo change requests Ben Hutchings
2012-06-08 4:18 ` [ 17/82] solos-pci: Fix DMA support Ben Hutchings
2012-06-08 4:18 ` [ 18/82] microblaze: Do not select GENERIC_GPIO by default Ben Hutchings
2012-06-08 4:18 ` [ 19/82] [PARISC] fix boot failure on 32-bit systems caused by branch stubs placed before .text Ben Hutchings
2012-06-08 4:19 ` [ 20/82] [PARISC] fix TLB fault path on PA2.0 narrow systems Ben Hutchings
2012-06-08 4:19 ` [ 21/82] iwlwifi: update BT traffic load states correctly Ben Hutchings
2012-06-08 4:19 ` [ 22/82] iwlwifi: do not use shadow registers by default Ben Hutchings
2012-06-08 4:19 ` [ 23/82] wl1251: fix oops on early interrupt Ben Hutchings
2012-06-08 4:19 ` [ 24/82] NFSv4: Map NFS4ERR_SHARE_DENIED into an EACCES error instead of EIO Ben Hutchings
2012-06-08 4:19 ` [ 25/82] drm/radeon: fix XFX quirk Ben Hutchings
2012-06-08 4:19 ` [ 26/82] ath9k: fix a use-after-free-bug when ath_tx_setup_buffer() fails Ben Hutchings
2012-06-08 4:19 ` [ 27/82] mac80211: fix ADDBA declined after suspend with wowlan Ben Hutchings
2012-06-08 4:19 ` [ 28/82] mm/fork: fix overflow in vma length when copying mmap on clone Ben Hutchings
2012-06-08 4:19 ` [ 29/82] mm: consider all swapped back pages in used-once logic Ben Hutchings
2012-06-08 4:19 ` [ 30/82] hugetlb: fix resv_map leak in error path Ben Hutchings
2012-06-08 4:19 ` [ 31/82] mm/vmalloc.c: change void* into explict vm_struct* Ben Hutchings
2012-06-08 10:41 ` David Rientjes
2012-06-08 10:55 ` Minchan Kim
2012-06-08 12:16 ` Ben Hutchings
2012-06-08 4:19 ` [ 32/82] mm: fix faulty initialization in vmalloc_init() Ben Hutchings
2012-06-08 4:19 ` [ 33/82] [SCSI] fix scsi_wait_scan Ben Hutchings
2012-06-08 4:19 ` Ben Hutchings [this message]
2012-06-08 4:19 ` [ 35/82] x86, amd, xen: Avoid NULL pointer paravirt references Ben Hutchings
2012-06-08 4:19 ` [ 36/82] slub: fix a memory leak in get_partial_node() Ben Hutchings
2012-06-08 4:19 ` [ 37/82] ext4: force ro mount if ext4_setup_super() fails Ben Hutchings
2012-06-08 4:19 ` [ 38/82] ext4: disallow hard-linked directory in ext4_lookup Ben Hutchings
2012-06-08 4:19 ` [ 39/82] mtd: nand: fix scan_read_raw_oob Ben Hutchings
2012-06-08 4:19 ` [ 40/82] vfs: increment iversion when a file is truncated Ben Hutchings
2012-06-08 4:19 ` [ 41/82] vfs: umount_tree() might be called on subtree that had never made it Ben Hutchings
2012-06-08 4:19 ` [ 42/82] ext4: add missing save_error_info() to ext4_error() Ben Hutchings
2012-06-08 4:19 ` [ 43/82] ALSA: usb-audio: fix rate_list memory leak Ben Hutchings
2012-06-08 4:19 ` [ 44/82] ext4: add ext4_mb_unload_buddy in the error path Ben Hutchings
2012-06-08 4:19 ` [ 45/82] ext4: remove mb_groups before tearing down the buddy_cache Ben Hutchings
2012-06-08 4:19 ` [ 46/82] drm/radeon: fix bank information in tiling config Ben Hutchings
2012-06-08 4:19 ` [ 47/82] drm/radeon: properly program gart on rv740, juniper, cypress, barts, hemlock Ben Hutchings
2012-06-08 4:19 ` [ 48/82] drm/radeon: fix HD6790, HD6570 backend programming Ben Hutchings
2012-06-08 4:19 ` [ 49/82] drm/ttm: Fix spinlock imbalance Ben Hutchings
2012-06-08 4:19 ` [ 50/82] drm/vmwgfx: Fix nasty write past alloced memory area Ben Hutchings
2012-06-08 4:19 ` [ 51/82] mtd: of_parts: fix breakage in Kconfig Ben Hutchings
2012-06-08 4:19 ` [ 52/82] fec_mpc52xx: fix timestamp filtering Ben Hutchings
2012-06-08 4:19 ` [ 53/82] Bluetooth: btusb: Add vendor specific ID (0a5c 21f3) for BCM20702A0 Ben Hutchings
2012-06-08 4:19 ` [ 54/82] Bluetooth: btusb: add support for BCM20702A0 [0a5c:21e6] Ben Hutchings
2012-06-08 4:19 ` [ 55/82] Bluetooth: btusb: Add USB device ID "0a5c 21e8" Ben Hutchings
2012-06-08 4:19 ` [ 56/82] Bluetooth: btusb: typo in Broadcom SoftSailing id Ben Hutchings
2012-06-08 4:19 ` [ 57/82] Bluetooth: btusb: Add vendor specific ID (0489 e042) for BCM20702A0 Ben Hutchings
2012-06-08 4:19 ` [ 58/82] Bluetooth: Add support for Atheros [13d3:3362] Ben Hutchings
2012-06-08 4:19 ` [ 59/82] Bluetooth: Add support for AR3012 [0cf3:e004] Ben Hutchings
2012-06-08 4:19 ` [ 60/82] Add Foxconn / Hon Hai IDs for btusb module Ben Hutchings
2012-06-08 4:19 ` [ 61/82] Bluetooth: Add support for Foxconn/Hon Hai AR5BBU22 0489:E03C Ben Hutchings
2012-06-08 4:19 ` [ 62/82] drm/i915:: Disable FBC on SandyBridge Ben Hutchings
2012-06-08 4:19 ` [ 63/82] ipv4: Do not use dead fib_info entries Ben Hutchings
2012-06-08 4:19 ` [ 64/82] ipv4: fix the rcu race between free_fib_info and ip_route_output_slow Ben Hutchings
2012-06-08 4:19 ` [ 65/82] set fake_rtables dst to NULL to avoid kernel Oops Ben Hutchings
2012-06-08 4:19 ` [ 66/82] ipv6: fix incorrect ipsec fragment Ben Hutchings
2012-06-08 4:19 ` [ 67/82] l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case Ben Hutchings
2012-06-08 4:19 ` [ 68/82] r8169: missing barriers Ben Hutchings
2012-06-08 4:19 ` [ 69/82] r8169: fix early queue wake-up Ben Hutchings
2012-06-08 4:19 ` [ 70/82] r8169: fix unsigned int wraparound with TSO Ben Hutchings
2012-06-08 4:19 ` [ 71/82] Revert "net: maintain namespace isolation between vlan and real device" Ben Hutchings
2012-06-08 4:19 ` [ 72/82] sctp: check cached dst before using it Ben Hutchings
2012-06-08 4:19 ` [ 73/82] skb: avoid unnecessary reallocations in __skb_cow Ben Hutchings
2012-06-08 4:19 ` [ 74/82] xfrm: take net hdr len into account for esp payload size calculation Ben Hutchings
2012-06-08 4:19 ` [ 75/82] ACPI battery: only refresh the sysfs files when pertinent information changes Ben Hutchings
2012-06-08 4:19 ` [ 76/82] target/file: Use O_DSYNC by default for FILEIO backends Ben Hutchings
2012-06-08 4:19 ` [ 77/82] iommu/amd: Cache pdev pointer to root-bridge Ben Hutchings
2012-06-08 4:19 ` [ 78/82] drm/radeon/kms: add new Palm, Sumo PCI ids Ben Hutchings
2012-06-08 4:19 ` [ 79/82] drm/radeon/kms: add new BTC " Ben Hutchings
2012-06-08 4:20 ` [ 80/82] btree: fix tree corruption in btree_get_prev() Ben Hutchings
2012-06-08 4:20 ` [ 81/82] kbuild: install kernel-page-flags.h Ben Hutchings
2012-06-08 4:20 ` [ 82/82] asix: allow full size 8021Q frames to be received Ben Hutchings
2012-06-08 5:09 ` [ 00/82] 3.2.20-stable review Ben Hutchings
2012-06-08 13:42 ` Maarten Lankhorst
2012-06-08 14:04 ` Ben Hutchings
2012-06-08 22:54 ` Ben Hutchings
2012-06-10 16:54 ` Maarten Lankhorst
2012-06-17 14:04 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120608041845.412874384@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cl@linux.com \
--cc=dave@linux.vnet.ibm.com \
--cc=davej@redhat.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mel@csn.ul.ie \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).