5.5-stable patches

added patches:
	mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch

diff --git a/queue-5.5/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch b/queue-5.5/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
new file mode 100644 (file)
index 0000000..a800e97
--- /dev/null
+++ b/queue-5.5/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
@@ -0,0 +1,57 @@
+From aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 1 Apr 2020 21:10:58 -0700
+Subject: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd upstream.
+
+Using an empty (malformed) nodelist that is not caught during mount option
+parsing leads to a stack-out-of-bounds access.
+
+The option string that was used was: "mpol=prefer:,".  However,
+MPOL_PREFERRED requires a single node number, which is not being provided
+here.
+
+Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's
+nodeid.
+
+Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
+Reported-by: Entropy Moe <3ntr0py1337@gmail.com>
+Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2841,7 +2841,9 @@ int mpol_parse_str(char *str, struct mem
+       switch (mode) {
+       case MPOL_PREFERRED:
+               /*
+-               * Insist on a nodelist of one node only
++               * Insist on a nodelist of one node only, although later
++               * we use first_node(nodes) to grab a single node, so here
++               * nodelist (or nodes) cannot be empty.
+                */
+               if (nodelist) {
+                       char *rest = nodelist;
+@@ -2849,6 +2851,8 @@ int mpol_parse_str(char *str, struct mem
+                               rest++;
+                       if (*rest)
+                               goto out;
++                      if (nodes_empty(nodes))
++                              goto out;
+               }
+               break;
+       case MPOL_INTERLEAVE:

diff --git a/queue-5.5/series b/queue-5.5/series
index 9e0518caff8bfbefb6358bcd41e28e4dddb567d9..cb94eca8566f3316d24b35ffc3eb87a2459f38dd 100644 (file)
--- a/queue-5.5/series
+++ b/queue-5.5/series
@@ -45,3 +45,4 @@ net-genetlink-return-the-error-code-when-attribute-parsing-fails.patch
 net-fix-tx-hash-bound-checking.patch
 net-smc-fix-cleanup-for-linkgroup-setup-failures.patch
 padata-always-acquire-cpu_hotplug_lock-before-pinst-lock.patch
+mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch