Tetsuo Handa
unread,Mar 23, 2017, 9:49:50 AM3/23/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dvy...@google.com, n...@holomorphy.com, linux-...@vger.kernel.org, pa...@paul-moore.com, s...@tycho.nsa.gov, epa...@parisplace.org, james.l...@oracle.com, se...@hallyn.com, kees...@chromium.org, an...@enomsg.org, ccr...@android.com, tony...@intel.com, sel...@tycho.nsa.gov, linux-secu...@vger.kernel.org, linu...@kvack.org, syzk...@googlegroups.com
Dmitry Vyukov wrote:
> On Thu, Mar 23, 2017 at 2:06 PM, Dmitry Vyukov <
dvy...@google.com> wrote:
> > Hello,
> >
> > I've got the following report while running syzkaller fuzzer on
> > 093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Note the preceding injected
> > kmalloc failure in inode_alloc_security, most likely it's the root
> > cause.
I don't think inode_alloc_security() failure is the root cause.
I think this is a bug in hugetlbfs or mm part.
If inode_alloc_security() fails, inode->i_security remains NULL
which was initialized to NULL at security_inode_alloc(). Thus,
security_inode_alloc() is irrelevant to this problem.
inode_init_always() returned -ENOMEM due to fault injection and
if (unlikely(inode_init_always(sb, inode))) {
if (inode->i_sb->s_op->destroy_inode)
inode->i_sb->s_op->destroy_inode(inode);
else
kmem_cache_free(inode_cachep, inode);
return NULL;
}
hugetlbfs_destroy_inode() was called via inode->i_sb->s_op->destroy_inode()
when inode initialization failed
static void hugetlbfs_destroy_inode(struct inode *inode)
{
hugetlbfs_inc_free_inodes(HUGETLBFS_SB(inode->i_sb));
mpol_free_shared_policy(&HUGETLBFS_I(inode)->policy);
call_rcu(&inode->i_rcu, hugetlbfs_i_callback);
}
but mpol_shared_policy_init() is called only when new_inode() succeeds.
inode = new_inode(sb);
if (inode) {
(...snipped...)
info = HUGETLBFS_I(inode);
/*
* The policy is initialized here even if we are creating a
* private inode because initialization simply creates an
* an empty rb tree and calls rwlock_init(), later when we
* call mpol_free_shared_policy() it will just return because
* the rb tree will still be empty.
*/
mpol_shared_policy_init(&info->policy, NULL);