651373 – NULL pointer dereference in reading vs. truncating race

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 651373 - NULL pointer dereference in reading vs. truncating race

Summary: NULL pointer dereference in reading vs. truncating race

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Johannes Weiner
QA Contact:	Red Hat Kernel QE team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	661892 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-11-09 12:32 UTC by Johannes Weiner
Modified:	2018-11-14 15:16 UTC (History)
CC List:	2 users (show)
Fixed In Version:	kernel-2.6.32-83.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 12:39:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
proposed patch (657 bytes, text/plain) 2011-03-26 15:43 UTC, IBM Bug Proxy	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0542	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update	2011-05-19 11:58:07 UTC

Description Johannes Weiner 2010-11-09 12:32:15 UTC

A read() with concurrent truncation opens up a tiny race window that crashes the kernel.

If the read() path finds a page in the page cache that is not yet fully read from disk but truncated again before the reader acquires the page lock, the kernel will crash with a NULL pointer dereference.

Comment 2 RHEL Program Management 2010-11-16 16:31:08 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.

Comment 3 Aristeu Rozanski 2010-11-17 19:47:37 UTC

Patch(es) available on kernel-2.6.32-83.el6

Comment 5 Steve Best 2010-12-09 21:38:59 UTC

*** Bug 661892 has been marked as a duplicate of this bug. ***

Comment 7 IBM Bug Proxy 2011-03-26 15:43:47 UTC

------- Comment From sbest.com 2010-11-04 08:41 EDT-------
Dave, thanks for posting upstream.

http://www.spinics.net/lists/linux-mm/msg10985.html

------- Comment From sbest.com 2010-11-09 10:54 EDT-------
Johannes Weiner at RH just posted this patch to rh kernel mailing list.
rh bz is https://bugzilla.redhat.com/show_bug.cgi?id=651373

------- Comment From haveblue.com 2010-11-10 19:22 EDT-------
The patch is in -mm.  Unless something major happens, it's headed into Linus's tree pretty quickly.

------- Comment From haveblue.com 2010-11-16 14:46 EDT-------
Just hit Linus's tree:

http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8d056cb965b8fb7c53c564abf28b1962d1061cd3

Comment 8 IBM Bug Proxy 2011-03-26 15:43:53 UTC

Created attachment 487830 [details]
proposed patch

Comment 10 errata-xmlrpc 2011-05-19 12:39:40 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0542.html

Note You need to log in before you can comment on or make changes to this bug.