[PATCH] shmem: Fix crash upon xas_store() failure.

From: Tetsuo Handa
Date: Mon Jul 09 2018 - 02:58:44 EST

Next message: Greg KH: "Re: [PATCH] Staging:fwserial Move LINUX_VENDOR_ID to firewire.h"
Previous message: Andy Shevchenko: "Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

syzbot is reporting list corruption [1]. This is because xas_store() from
shmem_add_to_page_cache() is not handling memory allocation failure. Fix
this by checking xas_error() after xas_store().

[1] https://syzkaller.appspot.com/bug?id=ccf34b892706ff6f3321da526329476eab23d5a0

Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Reported-by: syzbot+d8a8e42dfba0454286ff@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: "shmem: Convert shmem_add_to_page_cache to XArray"
---
mm/shmem.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/mm/shmem.c b/mm/shmem.c
index 0f151c8..382aeb3 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -606,6 +606,8 @@ static int shmem_add_to_page_cache(struct page *page,
}
next:
xas_store(&xas, page + i);
+ if (xas_error(&xas))
+ goto unlock;
if (++i < nr) {
xas_next(&xas);
goto next;
--
1.8.3.1

Next message: Greg KH: "Re: [PATCH] Staging:fwserial Move LINUX_VENDOR_ID to firewire.h"
Previous message: Andy Shevchenko: "Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]