Commit 08d4a246 authored by Michal Hocko's avatar Michal Hocko Committed by Linus Torvalds

hugetlb: check the return value of string conversion in sysctl handler

proc_doulongvec_minmax may fail if the given buffer doesn't represent a
valid number.  If we provide something invalid we will initialize the
resulting value (nr_overcommit_huge_pages in this case) to a random value
from the stack.

The issue was introduced by a3d0c6aa when the default handler has been
replaced by the helper function where we do not check the return value.

Reproducer:
echo "" > /proc/sys/vm/nr_overcommit_hugepages

[akpm@linux-foundation.org: correctly propagate proc_doulongvec_minmax return code]
Signed-off-by: default avatarMichal Hocko <mhocko@suse.cz>
Cc: CAI Qian <caiqian@redhat.com>
Cc: Nishanth Aravamudan <nacc@us.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent cb9ef8d5
...@@ -1859,13 +1859,16 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, ...@@ -1859,13 +1859,16 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
{ {
struct hstate *h = &default_hstate; struct hstate *h = &default_hstate;
unsigned long tmp; unsigned long tmp;
int ret;
if (!write) if (!write)
tmp = h->max_huge_pages; tmp = h->max_huge_pages;
table->data = &tmp; table->data = &tmp;
table->maxlen = sizeof(unsigned long); table->maxlen = sizeof(unsigned long);
proc_doulongvec_minmax(table, write, buffer, length, ppos); ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
if (ret)
goto out;
if (write) { if (write) {
NODEMASK_ALLOC(nodemask_t, nodes_allowed, NODEMASK_ALLOC(nodemask_t, nodes_allowed,
...@@ -1880,8 +1883,8 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy, ...@@ -1880,8 +1883,8 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
if (nodes_allowed != &node_states[N_HIGH_MEMORY]) if (nodes_allowed != &node_states[N_HIGH_MEMORY])
NODEMASK_FREE(nodes_allowed); NODEMASK_FREE(nodes_allowed);
} }
out:
return 0; return ret;
} }
int hugetlb_sysctl_handler(struct ctl_table *table, int write, int hugetlb_sysctl_handler(struct ctl_table *table, int write,
...@@ -1919,21 +1922,24 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write, ...@@ -1919,21 +1922,24 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
{ {
struct hstate *h = &default_hstate; struct hstate *h = &default_hstate;
unsigned long tmp; unsigned long tmp;
int ret;
if (!write) if (!write)
tmp = h->nr_overcommit_huge_pages; tmp = h->nr_overcommit_huge_pages;
table->data = &tmp; table->data = &tmp;
table->maxlen = sizeof(unsigned long); table->maxlen = sizeof(unsigned long);
proc_doulongvec_minmax(table, write, buffer, length, ppos); ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
if (ret)
goto out;
if (write) { if (write) {
spin_lock(&hugetlb_lock); spin_lock(&hugetlb_lock);
h->nr_overcommit_huge_pages = tmp; h->nr_overcommit_huge_pages = tmp;
spin_unlock(&hugetlb_lock); spin_unlock(&hugetlb_lock);
} }
out:
return 0; return ret;
} }
#endif /* CONFIG_SYSCTL */ #endif /* CONFIG_SYSCTL */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment