• Mike Kravetz's avatar
    hugetlbfs: initialize shared policy as part of inode allocation · 4742a35d
    Mike Kravetz authored
    Any time after inode allocation, destroy_inode can be called.  The
    hugetlbfs inode contains a shared_policy structure, and
    mpol_free_shared_policy is unconditionally called as part of
    hugetlbfs_destroy_inode.  Initialize the policy as part of inode
    allocation so that any quick (error path) calls to destroy_inode will be
    handed an initialized policy.
    
    syzkaller fuzzer found this bug, that resulted in the following:
    
        BUG: KASAN: user-memory-access in atomic_inc
        include/asm-generic/atomic-instrumented.h:87 [inline] at addr
        000000131730bd7a
        BUG: KASAN: user-memory-access in __lock_acquire+0x21a/0x3a80
        kernel/locking/lockdep.c:3239 at addr 000000131730bd7a
        Write of size 4 by task syz-executor6/14086
        CPU: 3 PID: 14086 Comm: syz-executor6 Not tainted 4.11.0-rc3+ #364
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Call Trace:
         atomic_inc include/asm-generic/atomic-instrumented.h:87 [inline]
         __lock_acquire+0x21a/0x3a80 kernel/locking/lockdep.c:3239
         lock_acquire+0x1ee/0x590 kernel/locking/lockdep.c:3762
         __raw_write_lock include/linux/rwlock_api_smp.h:210 [inline]
         _raw_write_lock+0x33/0x50 kernel/locking/spinlock.c:295
         mpol_free_shared_policy+0x43/0xb0 mm/mempolicy.c:2536
         hugetlbfs_destroy_inode+0xca/0x120 fs/hugetlbfs/inode.c:952
         alloc_inode+0x10d/0x180 fs/inode.c:216
         new_inode_pseudo+0x69/0x190 fs/inode.c:889
         new_inode+0x1c/0x40 fs/inode.c:918
         hugetlbfs_get_inode+0x40/0x420 fs/hugetlbfs/inode.c:734
         hugetlb_file_setup+0x329/0x9f0 fs/hugetlbfs/inode.c:1282
         newseg+0x422/0xd30 ipc/shm.c:575
         ipcget_new ipc/util.c:285 [inline]
         ipcget+0x21e/0x580 ipc/util.c:639
         SYSC_shmget ipc/shm.c:673 [inline]
         SyS_shmget+0x158/0x230 ipc/shm.c:657
         entry_SYSCALL_64_fastpath+0x1f/0xc2
    
    Analysis provided by Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    
    Link: http://lkml.kernel.org/r/1490477850-7944-1-git-send-email-mike.kravetz@oracle.comSigned-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Acked-by: default avatarHillf Danton <hillf.zj@alibaba-inc.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    4742a35d
Name
Last commit
Last update
..
9p Loading commit data...
adfs Loading commit data...
affs Loading commit data...
afs Loading commit data...
autofs4 Loading commit data...
befs Loading commit data...
bfs Loading commit data...
btrfs Loading commit data...
cachefiles Loading commit data...
ceph Loading commit data...
cifs Loading commit data...
coda Loading commit data...
configfs Loading commit data...
cramfs Loading commit data...
crypto Loading commit data...
debugfs Loading commit data...
devpts Loading commit data...
dlm Loading commit data...
ecryptfs Loading commit data...
efivarfs Loading commit data...
efs Loading commit data...
exofs Loading commit data...
exportfs Loading commit data...
ext2 Loading commit data...
ext4 Loading commit data...
f2fs Loading commit data...
fat Loading commit data...
freevxfs Loading commit data...
fscache Loading commit data...
fuse Loading commit data...
gfs2 Loading commit data...
hfs Loading commit data...
hfsplus Loading commit data...
hostfs Loading commit data...
hpfs Loading commit data...
hugetlbfs Loading commit data...
isofs Loading commit data...
jbd2 Loading commit data...
jffs2 Loading commit data...
jfs Loading commit data...
kernfs Loading commit data...
lockd Loading commit data...
minix Loading commit data...
ncpfs Loading commit data...
nfs Loading commit data...
nfs_common Loading commit data...
nfsd Loading commit data...
nilfs2 Loading commit data...
nls Loading commit data...
notify Loading commit data...
ntfs Loading commit data...
ocfs2 Loading commit data...
omfs Loading commit data...
openpromfs Loading commit data...
orangefs Loading commit data...
overlayfs Loading commit data...
proc Loading commit data...
pstore Loading commit data...
qnx4 Loading commit data...
qnx6 Loading commit data...
quota Loading commit data...
ramfs Loading commit data...
reiserfs Loading commit data...
romfs Loading commit data...
squashfs Loading commit data...
sysfs Loading commit data...
sysv Loading commit data...
tracefs Loading commit data...
ubifs Loading commit data...
udf Loading commit data...
ufs Loading commit data...
xfs Loading commit data...
Kconfig Loading commit data...
Kconfig.binfmt Loading commit data...
Makefile Loading commit data...
aio.c Loading commit data...
anon_inodes.c Loading commit data...
attr.c Loading commit data...
bad_inode.c Loading commit data...
binfmt_aout.c Loading commit data...
binfmt_elf.c Loading commit data...
binfmt_elf_fdpic.c Loading commit data...
binfmt_em86.c Loading commit data...
binfmt_flat.c Loading commit data...
binfmt_misc.c Loading commit data...
binfmt_script.c Loading commit data...
block_dev.c Loading commit data...
buffer.c Loading commit data...
char_dev.c Loading commit data...
compat.c Loading commit data...
compat_binfmt_elf.c Loading commit data...
compat_ioctl.c Loading commit data...
coredump.c Loading commit data...
dax.c Loading commit data...
dcache.c Loading commit data...
dcookies.c Loading commit data...
direct-io.c Loading commit data...
drop_caches.c Loading commit data...
eventfd.c Loading commit data...
eventpoll.c Loading commit data...
exec.c Loading commit data...
fcntl.c Loading commit data...
fhandle.c Loading commit data...
file.c Loading commit data...
file_table.c Loading commit data...
filesystems.c Loading commit data...
fs-writeback.c Loading commit data...
fs_pin.c Loading commit data...
fs_struct.c Loading commit data...
inode.c Loading commit data...
internal.h Loading commit data...
ioctl.c Loading commit data...
iomap.c Loading commit data...
libfs.c Loading commit data...
locks.c Loading commit data...
mbcache.c Loading commit data...
mount.h Loading commit data...
mpage.c Loading commit data...
namei.c Loading commit data...
namespace.c Loading commit data...
no-block.c Loading commit data...
nsfs.c Loading commit data...
open.c Loading commit data...
pipe.c Loading commit data...
pnode.c Loading commit data...
pnode.h Loading commit data...
posix_acl.c Loading commit data...
proc_namespace.c Loading commit data...
read_write.c Loading commit data...
readdir.c Loading commit data...
select.c Loading commit data...
seq_file.c Loading commit data...
signalfd.c Loading commit data...
splice.c Loading commit data...
stack.c Loading commit data...
stat.c Loading commit data...
statfs.c Loading commit data...
super.c Loading commit data...
sync.c Loading commit data...
timerfd.c Loading commit data...
userfaultfd.c Loading commit data...
utimes.c Loading commit data...
xattr.c Loading commit data...