| Message ID | 20240730051625.14349-1-viro@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [01/39] memcg_write_event_control(): fix a user-triggerable oops | expand |
On Tue 30-07-24 01:15:47, viro@kernel.org wrote: > From: Al Viro <viro@zeniv.linux.org.uk> > > we are *not* guaranteed that anything past the terminating NUL > is mapped (let alone initialized with anything sane). > > [the sucker got moved in mainline] > You could have preserved Fixes: 0dea116876ee ("cgroup: implement eventfd-based generic API for notifications") Cc: stable > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> and Acked-by: Michal Hocko <mhocko@suse.com> > --- > mm/memcontrol-v1.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c > index 2aeea4d8bf8e..417c96f2da28 100644 > --- a/mm/memcontrol-v1.c > +++ b/mm/memcontrol-v1.c > @@ -1842,9 +1842,12 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, > buf = endp + 1; > > cfd = simple_strtoul(buf, &endp, 10); > - if ((*endp != ' ') && (*endp != '\0')) > + if (*endp == '\0') > + buf = endp; > + else if (*endp == ' ') > + buf = endp + 1; > + else > return -EINVAL; > - buf = endp + 1; > > event = kzalloc(sizeof(*event), GFP_KERNEL); > if (!event) > -- > 2.39.2 >
On Tue, Jul 30, 2024 at 09:13:38AM +0200, Michal Hocko wrote: > On Tue 30-07-24 01:15:47, viro@kernel.org wrote: > > From: Al Viro <viro@zeniv.linux.org.uk> > > > > we are *not* guaranteed that anything past the terminating NUL > > is mapped (let alone initialized with anything sane). > > > > [the sucker got moved in mainline] > > > > You could have preserved > Fixes: 0dea116876ee ("cgroup: implement eventfd-based generic API for notifications") > Cc: stable > > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > > and > Acked-by: Michal Hocko <mhocko@suse.com> Will do; FWIW, I think it would be better off going via the cgroup tree - it's completely orthogonal to the rest of the series, the only relation being "got caught during the same audit"...
I think it can go through Andrew as well. The patch is https://lore.kernel.org/all/20240730051625.14349-1-viro@kernel.org/T/#u On Tue 30-07-24 08:18:51, Al Viro wrote: > On Tue, Jul 30, 2024 at 09:13:38AM +0200, Michal Hocko wrote: > > On Tue 30-07-24 01:15:47, viro@kernel.org wrote: > > > From: Al Viro <viro@zeniv.linux.org.uk> > > > > > > we are *not* guaranteed that anything past the terminating NUL > > > is mapped (let alone initialized with anything sane). > > > > > > [the sucker got moved in mainline] > > > > > > > You could have preserved > > Fixes: 0dea116876ee ("cgroup: implement eventfd-based generic API for notifications") > > Cc: stable > > > > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > > > > and > > Acked-by: Michal Hocko <mhocko@suse.com> > > Will do; FWIW, I think it would be better off going via the > cgroup tree - it's completely orthogonal to the rest of the > series, the only relation being "got caught during the same > audit"...
diff --git a/mm/memcontrol-v1.c b/mm/memcontrol-v1.c index 2aeea4d8bf8e..417c96f2da28 100644 --- a/mm/memcontrol-v1.c +++ b/mm/memcontrol-v1.c @@ -1842,9 +1842,12 @@ static ssize_t memcg_write_event_control(struct kernfs_open_file *of, buf = endp + 1; cfd = simple_strtoul(buf, &endp, 10); - if ((*endp != ' ') && (*endp != '\0')) + if (*endp == '\0') + buf = endp; + else if (*endp == ' ') + buf = endp + 1; + else return -EINVAL; - buf = endp + 1; event = kzalloc(sizeof(*event), GFP_KERNEL); if (!event)