From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 11 Apr 2022 07:39:55 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.310~90
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93371303c95667f877c6e1a1658b550d78e736c1;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	mm-mempolicy-fix-mpol_new-leak-in-shared_policy_replace.patch
---

diff --git a/queue-4.9/mm-mempolicy-fix-mpol_new-leak-in-shared_policy_replace.patch b/queue-4.9/mm-mempolicy-fix-mpol_new-leak-in-shared_policy_replace.patch
new file mode 100644
index 00000000000..57fc0df256f
--- /dev/null
+++ b/queue-4.9/mm-mempolicy-fix-mpol_new-leak-in-shared_policy_replace.patch
@@ -0,0 +1,51 @@
+From 4ad099559b00ac01c3726e5c95dc3108ef47d03e Mon Sep 17 00:00:00 2001
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Fri, 8 Apr 2022 13:09:07 -0700
+Subject: mm/mempolicy: fix mpol_new leak in shared_policy_replace
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+commit 4ad099559b00ac01c3726e5c95dc3108ef47d03e upstream.
+
+If mpol_new is allocated but not used in restart loop, mpol_new will be
+freed via mpol_put before returning to the caller.  But refcnt is not
+initialized yet, so mpol_put could not do the right things and might
+leak the unused mpol_new.  This would happen if mempolicy was updated on
+the shared shmem file while the sp->lock has been dropped during the
+memory allocation.
+
+This issue could be triggered easily with the below code snippet if
+there are many processes doing the below work at the same time:
+
+  shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);
+  shm = shmat(shmid, 0, 0);
+  loop many times {
+    mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);
+    mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,
+          maxnode, 0);
+  }
+
+Link: https://lkml.kernel.org/r/20220329111416.27954-1-linmiaohe@huawei.com
+Fixes: 42288fe366c4 ("mm: mempolicy: Convert shared_policy mutex to spinlock")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: <stable@vger.kernel.org>	[3.8]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempolicy.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2499,6 +2499,7 @@ alloc_new:
+ 	mpol_new = kmem_cache_alloc(policy_cache, GFP_KERNEL);
+ 	if (!mpol_new)
+ 		goto err_out;
++	atomic_set(&mpol_new->refcnt, 1);
+ 	goto restart;
+ }
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 863aa3f08ed..9eb09b7cf42 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -190,3 +190,4 @@ net-stmmac-fix-unset-max_speed-difference-between-dt.patch
 drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch
 drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch
 mmmremap.c-avoid-pointless-invalidate_range_start-end-on-mremap-old_size-0.patch
+mm-mempolicy-fix-mpol_new-leak-in-shared_policy_replace.patch