From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 24 Oct 2021 12:00:30 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.290~54
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bbdba9de1871e21757163a14775c66d1c0d211e3;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	mm-slub-fix-mismatch-between-reconstructed-freelist-depth-and-cnt.patch
---

diff --git a/queue-4.19/mm-slub-fix-mismatch-between-reconstructed-freelist-depth-and-cnt.patch b/queue-4.19/mm-slub-fix-mismatch-between-reconstructed-freelist-depth-and-cnt.patch
new file mode 100644
index 00000000000..a98d56fdc6c
--- /dev/null
+++ b/queue-4.19/mm-slub-fix-mismatch-between-reconstructed-freelist-depth-and-cnt.patch
@@ -0,0 +1,72 @@
+From 899447f669da76cc3605665e1a95ee877bc464cc Mon Sep 17 00:00:00 2001
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Mon, 18 Oct 2021 15:15:55 -0700
+Subject: mm, slub: fix mismatch between reconstructed freelist depth and cnt
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+commit 899447f669da76cc3605665e1a95ee877bc464cc upstream.
+
+If object's reuse is delayed, it will be excluded from the reconstructed
+freelist.  But we forgot to adjust the cnt accordingly.  So there will
+be a mismatch between reconstructed freelist depth and cnt.  This will
+lead to free_debug_processing() complaining about freelist count or a
+incorrect slub inuse count.
+
+Link: https://lkml.kernel.org/r/20210916123920.48704-3-linmiaohe@huawei.com
+Fixes: c3895391df38 ("kasan, slub: fix handling of kasan_slab_free hook")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Bharata B Rao <bharata@linux.ibm.com>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Faiyaz Mohammed <faiyazm@codeaurora.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Pekka Enberg <penberg@kernel.org>
+Cc: Roman Gushchin <guro@fb.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1392,7 +1392,8 @@ static __always_inline bool slab_free_ho
+ }
+ 
+ static inline bool slab_free_freelist_hook(struct kmem_cache *s,
+-					   void **head, void **tail)
++					   void **head, void **tail,
++					   int *cnt)
+ {
+ /*
+  * Compiler cannot detect this function can be removed if slab_free_hook()
+@@ -1421,6 +1422,12 @@ static inline bool slab_free_freelist_ho
+ 			*head = object;
+ 			if (!*tail)
+ 				*tail = object;
++		} else {
++			/*
++			 * Adjust the reconstructed freelist depth
++			 * accordingly if object's reuse is delayed.
++			 */
++			--(*cnt);
+ 		}
+ 	} while (object != old_tail);
+ 
+@@ -2988,7 +2995,7 @@ static __always_inline void slab_free(st
+ 	 * With KASAN enabled slab_free_freelist_hook modifies the freelist
+ 	 * to remove objects, whose reuse must be delayed.
+ 	 */
+-	if (slab_free_freelist_hook(s, &head, &tail))
++	if (slab_free_freelist_hook(s, &head, &tail, &cnt))
+ 		do_slab_free(s, page, head, tail, cnt, addr);
+ }
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 70688d68310..7ef523574e1 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -19,3 +19,4 @@ vfs-check-fd-has-read-access-in-kernel_read_file_from_fd.patch
 alsa-usb-audio-provide-quirk-for-sennheiser-gsp670-headset.patch
 alsa-hda-realtek-add-quirk-for-clevo-pc50hs.patch
 asoc-dapm-fix-missing-kctl-change-notifications.patch
+mm-slub-fix-mismatch-between-reconstructed-freelist-depth-and-cnt.patch