[patch] Oops on tmpfs remounts with mpol=default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



One of our customers reported an Oops when trying to remount a tmpfs mount
back with  'default' mempolicy after changing it to a non default policy.

Upon examination of code, I found that the kernel remount code tries to
dereference the 'NULL' mempolicy object returned by mpol_new at
mpol_parse_str.

Attached is the oops snippet.  Please find the proposed fix inline.

Thanks,
Kiran

---

Fix an 'oops' when a tmpfs mount point is remounted with the 'default'
mempolicy.

Upon remounting a tmpfs mount point with 'mpol=default' option, the remount
code crashed with a null pointer dereference.  The initial problem report was
on 2.6.27, but the problem exists in mainline 2.6.34-rc  as well. On
examining the code, we see that mpol_new returns NULL if default mempolicy
was requested.   This 'NULL' mempolicy is accessed to store the node mask
resulting in oops.

The following patch fixes the oops by avoiding dereferencing NULL if the
new mempolicy is NULL.
The patch also sets 'err' to 0 if MPOL_DEFAULT is passed (err is initialized
to 1 initially at mpol_parse_str())


Signed-off-by: Ravikiran Thirumalai <kiran@xxxxxxxxxxxx>

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index bda230e..a86277d 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2213,10 +2213,14 @@ int mpol_parse_str(char *str, struct mempolicy **mpol, int no_context)
 			goto out;
 		mode = MPOL_PREFERRED;
 		break;
-
+	case MPOL_DEFAULT:
+		/*
+		 * mpol_new() enforces empty nodemask, ignores flags.
+		 */
+		err = 0;
+		break;
 	/*
 	 * case MPOL_BIND:    mpol_new() enforces non-empty nodemask.
-	 * case MPOL_DEFAULT: mpol_new() enforces empty nodemask, ignores flags.
 	 */
 	}
 
@@ -2250,7 +2254,7 @@ int mpol_parse_str(char *str, struct mempolicy **mpol, int no_context)
 		if (ret) {
 			err = 1;
 			mpol_put(new);
-		} else if (no_context) {
+		} else if (no_context && new) {
 			/* save for contextualization */
 			new->w.user_nodemask = nodes;
 		}
[ 1159.848055] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[ 1159.856087] IP: [<ffffffff810ac096>] mpol_parse_str+0x1c6/0x2b0
[ 1159.856472] PGD a7dfd067 PUD aa1fe067 PMD 0 
[ 1159.856472] Oops: 0002 [#1] SMP 
[ 1159.856472] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:0a:01.0/local_cpus
[ 1159.876476] CPU 7 
[ 1159.876476] Modules linked in: nfs lockd nfs_acl sunrpc ecb cbc md5 aes_generic iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
[ 1159.876476] 
[ 1159.876476] Pid: 6235, comm: mount Not tainted 2.6.34-rc1-00005-g522dba7 #5 B7DW3/B7DW3
[ 1159.876476] RIP: 0010:[<ffffffff810ac096>]  [<ffffffff810ac096>] mpol_parse_str+0x1c6/0x2b0
[ 1159.876476] RSP: 0018:ffff8800aa125d68  EFLAGS: 00010202
[ 1159.876476] RAX: 0000000000000000 RBX: ffff8800ab7ed000 RCX: 0000000000000000
[ 1159.876476] RDX: ffff8800aa125d78 RSI: 0000000000000001 RDI: 0000000000000000
[ 1159.876476] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
[ 1159.876476] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000001
[ 1159.876476] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8800aa125e58
[ 1159.876476] FS:  00007fc29bc47760(0000) GS:ffff8800ac400000(0000) knlGS:0000000000000000
[ 1159.876476] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1159.876476] CR2: 0000000000000010 CR3: 00000000a9a93000 CR4: 00000000000006e0
[ 1159.876476] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1159.876476] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1159.876476] Process mount (pid: 6235, threadinfo ffff8800aa124000, task ffff8800ab7ed000)
[ 1159.876476] Stack:
[ 1159.876476]  000001fe000001fe 00000001aafe0a80 ffff8800aafe0b48 ffffffff810ccb3f
[ 1159.876476] <0> 0000000000000000 0000006700000000 0000006800000068 0000000000000000
[ 1159.876476] <0> ffff8800a7663000 ffff8800a7663005 ffff8800aa125e28 ffff8800aa125de8
[ 1159.876476] Call Trace:
[ 1159.876476]  [<ffffffff810ccb3f>] ? mntput_no_expire+0x1f/0xa0
[ 1159.876476]  [<ffffffff8108c7ac>] ? shmem_parse_options+0x2ac/0x2e0
[ 1159.876476]  [<ffffffff810c1313>] ? do_path_lookup+0x33/0x60
[ 1159.876476]  [<ffffffff8108d42d>] ? shmem_remount_fs+0x5d/0x110
[ 1159.876476]  [<ffffffff810b735f>] ? do_remount_sb+0x7f/0x180
[ 1159.876476]  [<ffffffff810cdef8>] ? do_mount+0x668/0x800
[ 1159.876476]  [<ffffffff810cc4fd>] ? copy_mount_options+0x10d/0x180
[ 1159.876476]  [<ffffffff810ce125>] ? sys_mount+0x95/0xf0
[ 1159.876476]  [<ffffffff81002302>] ? system_call_fastpath+0x16/0x1b
[ 1159.876476] Code: 54 24 10 48 8d 74 24 20 48 89 ef e8 a5 e2 ff ff fe 83 cc 04 00 00 85 c0 75 1a 8b 74 24 0c 85 f6 0f 84 b8 fe ff ff 48 8b 44 24 20 <48> 89 45 10 e9 aa fe ff ff 48 85 ed 0f 84 ca 00 00 00 48 89 ef 
[ 1159.876476] RIP  [<ffffffff810ac096>] mpol_parse_str+0x1c6/0x2b0
[ 1159.876476]  RSP <ffff8800aa125d68>
[ 1159.876476] CR2: 0000000000000010
[ 1159.878411] ---[ end trace 0c86a8c1b0b4c73c ]---

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]