From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20EFCE7717F for ; Mon, 16 Dec 2024 05:52:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 785DE6B007B; Mon, 16 Dec 2024 00:52:14 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6E7206B0082; Mon, 16 Dec 2024 00:52:14 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 587D46B0085; Mon, 16 Dec 2024 00:52:14 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 3A3236B007B for ; Mon, 16 Dec 2024 00:52:14 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id D53A9160662 for ; Mon, 16 Dec 2024 05:52:13 +0000 (UTC) X-FDA: 82899751200.16.B08CD88 Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf04.hostedemail.com (Postfix) with ESMTP id C13DC40002 for ; Mon, 16 Dec 2024 05:51:41 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=aUbZRcgx; dmarc=none; spf=pass (imf04.hostedemail.com: domain of akpm@linux-foundation.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1734328305; a=rsa-sha256; cv=none; b=qGsgwBqWD/SN1/8hCuf7pBt5wv6ZgNNwKDUt+ZvAGwKj3xfMARBdsc4MDl49GHM791Nx/h hPrzUnLwnHkQKsZ23RGoAi53E/I1B1Elv3ZEcG96ZzDW2+gwjUNXeDCLvmofpvd1a7+bZI zBLCTpx8lOULnFbXZtxImN0/fGTRMps= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=aUbZRcgx; dmarc=none; spf=pass (imf04.hostedemail.com: domain of akpm@linux-foundation.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1734328305; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Uj4jENtTgHHwdIv1jqCOtJwtHolRQSpqASnV8TiaqQo=; b=ARjfymExfISl8AjM3E4cYkO72fplToseBzIzxO/TIg9LPLex5UjLYZsmVmILfQgXm4QSGc waGL21t/khQBmaBJXtUVHakMf6OvQFLpF3yHM0OYoZkvjCv87Kp5lSuNbq2wttrsHbIGcY zsbue4jaqjSmE6ylJMCZ62yGFdO7Ufc= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 8B06DA40C59; Mon, 16 Dec 2024 05:50:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E6DA9C4CED0; Mon, 16 Dec 2024 05:52:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1734328331; bh=qjSEykgVf4DoYoTv4HjgOKXB49ktqpaprzIS7i1NVoY=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=aUbZRcgxdoVAqH6h9vsfoZHelM1Ased8dKYWhUNsaZByUY5P2ISxOLQR4MiRGmVfv tw1teO74yBK80XrTn7IXxXHNdivE/sR2CMVmYv7lS2M/2bGAHmC63EJOFLj4k81+Fp 2iO9noEZyFq7pTy6Gg5k9GCUtwbotFFCBvxSOFNM= Date: Sun, 15 Dec 2024 21:52:10 -0800 From: Andrew Morton To: Leo Stone Cc: syzbot+8a3da2f1bbf59227c289@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] mm: huge_memory: Handle strsep not finding delimiter Message-Id: <20241215215210.b02854acf4ca32be83aff718@linux-foundation.org> In-Reply-To: <20241216042752.257090-2-leocstone@gmail.com> References: <675fa124.050a0220.37aaf.0113.GAE@google.com> <20241216042752.257090-2-leocstone@gmail.com> X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: C13DC40002 X-Stat-Signature: 3z1roymrx9djfe1jwk9saz5ob65ok1sk X-Rspam-User: X-HE-Tag: 1734328301-960524 X-HE-Meta: U2FsdGVkX1+4iBPOYO+P7iyoYFjV2XWXFSvfHEMz8Ikk0SJD+xP8Pmp0hbu9M1P0FL8D/un6EPcl6pi5O77K6bm45ShwhH5v9ybiOZpRjE/PMlNwqued9xvboQeYL+Ykr/iDJQaqBthFokBfRNFOZnfL0jWDvU8DwXqLepb3Y2fAf1j9zjCgE5NNtfPgbemjEGoxOqwJ3SQOVu+ONhtF1/uZYQE4GABHOQU1FYebLvmthMweh/peCMf+XXOiDkIEx/zi1fV7kQMH0TnNhbxwiMlSZB02zZhnAgA0JjFTRrO1gSe5xmhJZ6cnsDkIIqPfPO7q7GX4g6zkVT9lP7UyDWUucUm70xbMmb+BIvLwdNdXn3bt/8jimbsJm6KkuHu6/v1tEDRShjziyCynHA7XBLG9DSkiTRJwsm2nvP37MAoLdcO7xqDaElA8djUJCG7ify3AgTF6cuaJhhGG3xC0k8ZWlwxBnObxVsa99XeIlUJVExTKvs5EIeG2VIzv8kMFLHQPcSXMdkdvK1xXrG8a3jKNEi8MwBcmxRBCX4Y8ia/F5JA7rd9JJRRcuNZJKTA6ZGK7a6HYgfhRSC7tpJmoibdNy+4kBWJEJVBq150YPtYSqaIkgcbAlCTpNCPYRQ0rIe7VopE2LUViPqfXEqU3Dpwt4xkPjjMmNzuI3iHBP3BU3lk0UwC94+okT311i1cdmwR5ZCgNSh31c7q0X2QM3IZFFHvbb0Un0KxPboaAj+V4dQhzp9/rcz+J4I8bi6Hh72YVy/+XH3JgvDdewAnuAfuyB2jwqCiX2SlLLGJ5EKjjSYWUKZFXX42P7+GPI3rwrqbhUljze3e/OxgbXgyBJ9m3BodA70ITZda81r0K519waU5zmbx5E9bN4e9CdIUwfebcNYzSSYl/AxPLDWwaRYk8fW+vW2NLb4o3sSnq42tHRrDAkbi+uqQiVoZRLDUzvVSDT3IHygiz9xsEH/n lvs2zB1M jZRlBB+q+94nE8nMfm15beKLmE8hMhkSMjqh2IqUce+DM+AcTV3Ftw3NKrm0Usfp3G8MCT22w95Xrb60UHtAbnYGnpyuEpmjgHjqp9dIenVcYLQX43dY3WmNlWjAproh8B5JpUcovt4TerUVM8S7hEKjYThfMY21Je/hwoZms6NDs+xmlE/zA0c56JHbNPMv89Vn9wB5KlGrGPOaoDMuJ/UneWWSm0jaEQWMnJzGYIFQwJhKKXk+R/oIyKyw6kG80rxO+xbOrYM7RxnoQRfttw9PYsq9ioWnbuWAmIJ07HO0GZECl+ecxCVyIiYS3pmcZ/gslfgFJIODieSbXUTnZMTzrRK1T9Tc0l/XNv3+qW5ZRSEmv8srpTpPHyWu7DNwLn2BqGT2+vdmOJ7mlbMRj49TksXNDvQ/DCBa+NRNG3pFyq76NEpPh9R7Zyy7uHYU4Vf8TwqBN4sCatTFRDAvDw7rbOVXclHPvmVNT X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sun, 15 Dec 2024 20:27:51 -0800 Leo Stone wrote: > split_huge_pages_write does not handle the case where strsep finds no > delimiter in the given string and sets the input buffer to NULL, > which allows this reproducer to trigger a protection fault. > > ... > > --- a/mm/huge_memory.c > +++ b/mm/huge_memory.c > @@ -4168,7 +4168,7 @@ static ssize_t split_huge_pages_write(struct file *file, const char __user *buf, > size_t input_len = strlen(input_buf); > > tok = strsep(&buf, ","); > - if (tok) { > + if (tok && buf) { > strscpy(file_path, tok); > } else { > ret = -EINVAL; lgtm, thanks. The duplicated `buf' made review of this unnecessarily annoying, so... From: Andrew Morton Subject: mm/huge_memory.c: rename shadowed local Date: Sun Dec 15 09:44:47 PM PST 2024 split_huge_pages_write() has a lccal `buf' which shadows incoming arg `buf'. Reviewer confusion resulted. Cc: Leo Stone Signed-off-by: Andrew Morton --- mm/huge_memory.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/mm/huge_memory.c~mm-huge_memoryc-rename-shadowed-local +++ a/mm/huge_memory.c @@ -4169,20 +4169,21 @@ static ssize_t split_huge_pages_write(st if (input_buf[0] == '/') { char *tok; - char *buf = input_buf; + char *tok_buf = input_buf; char file_path[MAX_INPUT_BUF_SZ]; pgoff_t off_start = 0, off_end = 0; size_t input_len = strlen(input_buf); - tok = strsep(&buf, ","); - if (tok && buf) { + tok = strsep(&tok_buf, ","); + if (tok && tok_buf) { strscpy(file_path, tok); } else { ret = -EINVAL; goto out; } - ret = sscanf(buf, "0x%lx,0x%lx,%d", &off_start, &off_end, &new_order); + ret = sscanf(tok_buf, "0x%lx,0x%lx,%d", &off_start, + &off_end, &new_order); if (ret != 2 && ret != 3) { ret = -EINVAL; goto out; _