mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()

weighted_interleave_auto_store() fetches old_wi_state inside the if
(!input) block only.  This causes two memory leaks:

1. When a user writes "false" and the current mode is already manual,
   the function returns early without freeing the freshly allocated
   new_wi_state.

2. When a user writes "true", old_wi_state stays NULL because the
   fetch is skipped entirely. The old state is then overwritten by
   rcu_assign_pointer() but never freed, since the cleanup path is
   gated on old_wi_state being non-NULL. A user can trigger this
   repeatedly by writing "1" in a loop.

Fix both leaks by moving the old_wi_state fetch before the input check,
making it unconditional.  This also allows a unified early return for both
"true" and "false" when the requested mode matches the current mode.

Link: https://lore.kernel.org/20260401005702.7096-1-liu.yun@linux.dev
Link: https://sashiko.dev/#/patchset/20260331100740.84906-1-liu.yun@linux.dev
Fixes: e341f9c3c841 ("mm/mempolicy: Weighted Interleave Auto-tuning")
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
Reviewed-by: Joshua Hahn <joshua.hahnjy@gmail.com>
Reviewed by: Donet Tom <donettom@linux.ibm.com>
Cc: Gregory Price <gourry@gourry.net>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: <stable@vger.kernel.org> # v6.16+
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index fd08771e2057b3e5de533d49454a6e014231917e..62108a5b74c4ed53536db7839ad4e27a4b23dd50 100644 (file)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -3700,18 +3700,19 @@ static ssize_t weighted_interleave_auto_store(struct kobject *kobj,
                new_wi_state->iw_table[i] = 1;
 
        mutex_lock(&wi_state_lock);
-       if (!input) {
-               old_wi_state = rcu_dereference_protected(wi_state,
-                                       lockdep_is_held(&wi_state_lock));
-               if (!old_wi_state)
-                       goto update_wi_state;
-               if (input == old_wi_state->mode_auto) {
-                       mutex_unlock(&wi_state_lock);
-                       return count;
-               }
+       old_wi_state = rcu_dereference_protected(wi_state,
+                               lockdep_is_held(&wi_state_lock));
 
-               memcpy(new_wi_state->iw_table, old_wi_state->iw_table,
-                                              nr_node_ids * sizeof(u8));
+       if (old_wi_state && input == old_wi_state->mode_auto) {
+               mutex_unlock(&wi_state_lock);
+               kfree(new_wi_state);
+               return count;
+       }
+
+       if (!input) {
+               if (old_wi_state)
+                       memcpy(new_wi_state->iw_table, old_wi_state->iw_table,
+                                                      nr_node_ids * sizeof(u8));
                goto update_wi_state;
        }