Bug#796036: linux-image-3.16.0-4-amd64: concurrent msync triggers NULL pointer dereference
On Thu, 2015-09-10 at 18:39 +0200, Xavier Chantry wrote:
> On 10/09/2015 16:17, Ben Hutchings wrote:
> > On Thu, 2015-09-10 at 14:55 +0100, Ben Hutchings wrote:
> >> Control: tag -1 security patch
> >>
> >> On Tue, 2015-08-18 at 20:05 +0200, Xavier Chantry wrote:
> >>> Package: src:linux
> >>> Version: 3.16.7-ckt11-1
> >>> Severity: important
> >>>
> >>> Using Debian 3.16.7-ckt4-3 and a simple test case, we were able to
> >>> reproduce a
> >>> kernel bug in msync system call.
> >> [...]
> >>
> >> I can reproduce this too. I also found a similar problem with
> >> madvise(..., MADV_REMOVE). The attached patch (against
> >> 3.16.7-ckt11-1+deb8u3) should fix them both.
> >
> > Actually, try this version instead.
> >
> > Ben.
> >
>
> Yep, I already figured that this change in msync.c from file to
> vma->vm_file was the one triggering my problem and I reported it upstream:
> https://www.mail-archive.com/aufs-users@lists.sourceforge.net/msg05167.html
>
> J. R. Okajima acknowledged the problem and that vma->vm_file should not
> be used, however he plans to keep the fput on vm_prfile. I guess that's
> needed when doing msync / madvise on aufs ?
> https://www.mail-archive.com/aufs-users@lists.sourceforge.net/msg05169.html
> He said he would post a new fix, but only in a few weeks. It doesn't
> seem that complicated but well, he looks busy.
In these two places there's nothing using vm_prfile so there should be
no need to get or put the reference.
Ben.
Reply to: