2012-06-02 16:54:37

by Siddhesh Poyarekar

[permalink] [raw]
Subject: [PATCH] Avoid dereferencing a possibly NULL mm

The NULL check for mm in exit_mm occurs after mm_release is
called. This looks wrong because mm_release dereferences mm:

...
if (!(tsk->flags & PF_SIGNALED) &&
atomic_read(&mm->mm_users) > 1) {
/*
...

This dereference seems unsafe and hence is fixed by moving the NULL
check above mm_release.

Signed-off-by: Siddhesh Poyarekar <[email protected]>
---
kernel/exit.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/kernel/exit.c b/kernel/exit.c
index 34867cc..15fe63c 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -640,9 +640,11 @@ static void exit_mm(struct task_struct * tsk)
struct mm_struct *mm = tsk->mm;
struct core_state *core_state;

- mm_release(tsk, mm);
if (!mm)
return;
+
+ mm_release(tsk, mm);
+
/*
* Serialize with any possible pending coredump.
* We must hold mmap_sem around checking core_state
--
1.7.7.6


2012-06-02 17:43:12

by Oleg Nesterov

[permalink] [raw]
Subject: Re: [PATCH] Avoid dereferencing a possibly NULL mm

On 06/02, Siddhesh Poyarekar wrote:
>
> The NULL check for mm in exit_mm occurs after mm_release is
> called. This looks wrong because mm_release dereferences mm:
>
> ...
> if (!(tsk->flags & PF_SIGNALED) &&
> atomic_read(&mm->mm_users) > 1) {
> /*
> ...

Yes, this looks wrong, but the task without ->mm shouldn't have
->clear_child_tid != NULL, so this is harmless.

> This dereference seems unsafe and hence is fixed by moving the NULL
> check above mm_release.

And this is wrong,

> --- a/kernel/exit.c
> +++ b/kernel/exit.c
> @@ -640,9 +640,11 @@ static void exit_mm(struct task_struct * tsk)
> struct mm_struct *mm = tsk->mm;
> struct core_state *core_state;
>
> - mm_release(tsk, mm);
> if (!mm)
> return;
> +
> + mm_release(tsk, mm);
> +

mm_release()->complete_vfork_done() should be called even if
->mm == NULL. See kthread_stop().

Probably this needs some cleanups or comments, but lets do
this on top of pending fixes in -mm tree.

Oleg.

2012-06-02 17:47:37

by Siddhesh Poyarekar

[permalink] [raw]
Subject: Re: [PATCH] Avoid dereferencing a possibly NULL mm

On 2 June 2012 23:11, Oleg Nesterov <[email protected]> wrote:
>
> Yes, this looks wrong, but the task without ->mm shouldn't have
> ->clear_child_tid != NULL, so this is harmless.
>

Oh right, I overlooked that. Thanks.


--
Siddhesh Poyarekar
http://siddhesh.in