[PATCH] sys_swapon bad arg causing slab corruption

There's an error in sys_swapon() that can cause slab corruption if you pass in a bad specialfile pointer. getname() then returns ERR_PTR(-EFAULT), but sys_swapon() doesn't clear name before calling putname() on it (thus freeing 0xfffffff2, corrupting slab). An ltp test case repeatedly crashed in later tests due to thus, irk.

[PATCH] sys_swapon bad arg causing slab corruption
There's an error in sys_swapon() that can cause slab corruption if you pass in a bad specialfile pointer. getname() then returns ERR_PTR(-EFAULT), but sys_swapon() doesn't clear name before calling putname() on it (thus freeing 0xfffffff2, corrupting slab). An ltp test case repeatedly crashed in later tests due to thus, irk.
a1f846e8 · Jens Axboe · Linus Torvalds · 17563a77 · a1f846e8
Commit a1f846e8 authored Mar 15, 2004 by Jens Axboe Committed by Linus Torvalds Mar 15, 2004
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

mm/swapfile.c mm/swapfile.c +3 -1

No files found.
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1269,8 +1269,10 @@ asmlinkage long sys_swapon(const char __user * specialfile, int swap_flags)
 	swap_list_unlock();
 	name = getname(specialfile);
 	error = PTR_ERR(name);
-	if (IS_ERR(name))
+	if (IS_ERR(name)) {
+		name = NULL;
 		goto bad_swap_2;
+	}
 	swap_file = filp_open(name, O_RDWR, 0);
 	error = PTR_ERR(swap_file);
 	if (IS_ERR(swap_file)) {