--- /dev/null
+From a6edfd2bddd3582d3ac886856ce894de48f35842 Mon Sep 17 00:00:00 2001
+From: Vlastimil Babka <vbabka@suse.cz>
+Date: Tue, 5 Mar 2019 15:46:50 -0800
+Subject: mm, mempolicy: fix uninit memory access
+
+[ Upstream commit 2e25644e8da4ed3a27e7b8315aaae74660be72dc ]
+
+Syzbot with KMSAN reports (excerpt):
+
+==================================================================
+BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline]
+BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
+CPU: 1 PID: 17420 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #15
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
+ __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
+ mpol_rebind_policy mm/mempolicy.c:353 [inline]
+ mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
+ update_tasks_nodemask+0x608/0xca0 kernel/cgroup/cpuset.c:1120
+ update_nodemasks_hier kernel/cgroup/cpuset.c:1185 [inline]
+ update_nodemask kernel/cgroup/cpuset.c:1253 [inline]
+ cpuset_write_resmask+0x2a98/0x34b0 kernel/cgroup/cpuset.c:1728
+
+...
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
+ kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
+ kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
+ kmem_cache_alloc+0x572/0xb90 mm/slub.c:2777
+ mpol_new mm/mempolicy.c:276 [inline]
+ do_mbind mm/mempolicy.c:1180 [inline]
+ kernel_mbind+0x8a7/0x31a0 mm/mempolicy.c:1347
+ __do_sys_mbind mm/mempolicy.c:1354 [inline]
+
+As it's difficult to report where exactly the uninit value resides in
+the mempolicy object, we have to guess a bit. mm/mempolicy.c:353
+contains this part of mpol_rebind_policy():
+
+ if (!mpol_store_user_nodemask(pol) &&
+ nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
+
+"mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't
+ever see being uninitialized after leaving mpol_new(). So I'll guess
+it's actually about accessing pol->w.cpuset_mems_allowed on line 354,
+but still part of statement starting on line 353.
+
+For w.cpuset_mems_allowed to be not initialized, and the nodes_equal()
+reachable for a mempolicy where mpol_set_nodemask() is called in
+do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy
+with empty set of nodes, i.e. MPOL_LOCAL equivalent, with MPOL_F_LOCAL
+flag. Let's exclude such policies from the nodes_equal() check. Note
+the uninit access should be benign anyway, as rebinding this kind of
+policy is always a no-op. Therefore no actual need for stable
+inclusion.
+
+Link: http://lkml.kernel.org/r/a71997c3-e8ae-a787-d5ce-3db05768b27c@suse.cz
+Link: http://lkml.kernel.org/r/73da3e9c-cc84-509e-17d9-0c434bb9967d@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Reported-by: syzbot+b19c2dc2c990ea657a71@syzkaller.appspotmail.com
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Yisheng Xie <xieyisheng1@huawei.com>
+Cc: zhong jiang <zhongjiang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/mempolicy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 1528c0b8d9bd..6ca0225335eb 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -349,7 +349,7 @@ static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask)
+ {
+ if (!pol)
+ return;
+- if (!mpol_store_user_nodemask(pol) &&
++ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&
+ nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
+ return;
+
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / blobdiff