From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 2 Oct 2022 10:22:03 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.19.13~37
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2f26184212b5386abf5f6ab51c8af168a0ee0d29;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch
---

diff --git a/queue-4.9/mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch b/queue-4.9/mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch
new file mode 100644
index 00000000000..e2e86cfcacc
--- /dev/null
+++ b/queue-4.9/mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch
@@ -0,0 +1,54 @@
+From dac22531bbd4af2426c4e29e05594415ccfa365d Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Fri, 15 Jul 2022 14:50:13 +0200
+Subject: mm: prevent page_frag_alloc() from corrupting the memory
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+commit dac22531bbd4af2426c4e29e05594415ccfa365d upstream.
+
+A number of drivers call page_frag_alloc() with a fragment's size >
+PAGE_SIZE.
+
+In low memory conditions, __page_frag_cache_refill() may fail the order
+3 cache allocation and fall back to order 0; In this case, the cache
+will be smaller than the fragment, causing memory corruptions.
+
+Prevent this from happening by checking if the newly allocated cache is
+large enough for the fragment; if not, the allocation will fail and
+page_frag_alloc() will return NULL.
+
+Link: https://lkml.kernel.org/r/20220715125013.247085-1-mlombard@redhat.com
+Fixes: b63ae8ca096d ("mm/net: Rename and move page fragment handling from net/ to mm/")
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Cc: Chen Lin <chen45464546@163.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_alloc.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3987,6 +3987,18 @@ refill:
+ 		/* reset page count bias and offset to start of new frag */
+ 		nc->pagecnt_bias = PAGE_FRAG_CACHE_MAX_SIZE + 1;
+ 		offset = size - fragsz;
++		if (unlikely(offset < 0)) {
++			/*
++			 * The caller is trying to allocate a fragment
++			 * with fragsz > PAGE_SIZE but the cache isn't big
++			 * enough to satisfy the request, this may
++			 * happen in low memory conditions.
++			 * We don't release the cache page because
++			 * it could make memory pressure worse
++			 * so we simply return NULL here.
++			 */
++			return NULL;
++		}
+ 	}
+ 
+ 	nc->pagecnt_bias--;
diff --git a/queue-4.9/series b/queue-4.9/series
index 45a191417e3..a37d5063da0 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -4,3 +4,4 @@ uas-ignore-uas-for-thinkplus-chips.patch
 net-usb-qmi_wwan-add-new-usb-id-for-dell-branded-em7455.patch
 ntfs-fix-bug_on-in-ntfs_lookup_inode_by_name.patch
 mmc-moxart-fix-4-bit-bus-width-and-remove-8-bit-bus-width.patch
+mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch