5.6-stable patches

added patches:
	mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch

diff --git a/queue-5.6/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch b/queue-5.6/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
new file mode 100644 (file)
index 0000000..a800e97
--- /dev/null
+++ b/queue-5.6/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
@@ -0,0 +1,57 @@
+From aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 1 Apr 2020 21:10:58 -0700
+Subject: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd upstream.
+
+Using an empty (malformed) nodelist that is not caught during mount option
+parsing leads to a stack-out-of-bounds access.
+
+The option string that was used was: "mpol=prefer:,".  However,
+MPOL_PREFERRED requires a single node number, which is not being provided
+here.
+
+Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's
+nodeid.
+
+Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
+Reported-by: Entropy Moe <3ntr0py1337@gmail.com>
+Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2841,7 +2841,9 @@ int mpol_parse_str(char *str, struct mem
+       switch (mode) {
+       case MPOL_PREFERRED:
+               /*
+-               * Insist on a nodelist of one node only
++               * Insist on a nodelist of one node only, although later
++               * we use first_node(nodes) to grab a single node, so here
++               * nodelist (or nodes) cannot be empty.
+                */
+               if (nodelist) {
+                       char *rest = nodelist;
+@@ -2849,6 +2851,8 @@ int mpol_parse_str(char *str, struct mem
+                               rest++;
+                       if (*rest)
+                               goto out;
++                      if (nodes_empty(nodes))
++                              goto out;
+               }
+               break;
+       case MPOL_INTERLEAVE:

diff --git a/queue-5.6/series b/queue-5.6/series
index 1ac8d705a1b15c54f69a687196483c160537331c..51085315d127c4b08cec46f1ec81b677131e8143 100644 (file)
--- a/queue-5.6/series
+++ b/queue-5.6/series
@@ -27,3 +27,4 @@ revert-dm-always-call-blk_queue_split-in-dm_process_bio.patch
 alsa-hda-ca0132-add-recon3di-quirk-to-handle-integrated-sound-on-evga-x99-classified-motherboard.patch
 soc-mediatek-knows_txdone-needs-to-be-set-in-mediatek-cmdq-helper.patch
 perf-python-fix-clang-detection-to-strip-out-options-passed-in-cc.patch
+mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch