From: Sasha Levin Date: Wed, 27 Nov 2019 14:27:46 +0000 (-0500) Subject: fixes for 5.3 X-Git-Tag: v4.4.204~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d1aea28566719700881bdd83be414fbb778037e6;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 5.3 Signed-off-by: Sasha Levin --- diff --git a/queue-5.3/mm-slub.c-init_on_free-1-should-wipe-freelist-ptr-fo.patch b/queue-5.3/mm-slub.c-init_on_free-1-should-wipe-freelist-ptr-fo.patch new file mode 100644 index 00000000000..1fd279d82d6 --- /dev/null +++ b/queue-5.3/mm-slub.c-init_on_free-1-should-wipe-freelist-ptr-fo.patch @@ -0,0 +1,89 @@ +From d59a3838c75557266b489e56880eb300194bcc7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Oct 2019 14:11:57 -0700 +Subject: mm/slub.c: init_on_free=1 should wipe freelist ptr for bulk + allocations + +From: Alexander Potapenko + +[ Upstream commit 0f181f9fbea8bc7ea2f7e13ae7f8c256b39e254c ] + +slab_alloc_node() already zeroed out the freelist pointer if +init_on_free was on. Thibaut Sautereau noticed that the same needs to +be done for kmem_cache_alloc_bulk(), which performs the allocations +separately. + +kmem_cache_alloc_bulk() is currently used in two places in the kernel, +so this change is unlikely to have a major performance impact. + +SLAB doesn't require a similar change, as auto-initialization makes the +allocator store the freelist pointers off-slab. + +Link: http://lkml.kernel.org/r/20191007091605.30530-1-glider@google.com +Fixes: 6471384af2a6 ("mm: security: introduce init_on_alloc=1 and init_on_free=1 boot options") +Signed-off-by: Alexander Potapenko +Reported-by: Thibaut Sautereau +Reported-by: Kees Cook +Cc: Christoph Lameter +Cc: Laura Abbott +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slub.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index d2445dd1c7eda..f24ea152cdbb3 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -2648,6 +2648,17 @@ static void *__slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node, + return p; + } + ++/* ++ * If the object has been wiped upon free, make sure it's fully initialized by ++ * zeroing out freelist pointer. ++ */ ++static __always_inline void maybe_wipe_obj_freeptr(struct kmem_cache *s, ++ void *obj) ++{ ++ if (unlikely(slab_want_init_on_free(s)) && obj) ++ memset((void *)((char *)obj + s->offset), 0, sizeof(void *)); ++} ++ + /* + * Inlined fastpath so that allocation functions (kmalloc, kmem_cache_alloc) + * have the fastpath folded into their functions. So no function call +@@ -2736,12 +2747,8 @@ redo: + prefetch_freepointer(s, next_object); + stat(s, ALLOC_FASTPATH); + } +- /* +- * If the object has been wiped upon free, make sure it's fully +- * initialized by zeroing out freelist pointer. +- */ +- if (unlikely(slab_want_init_on_free(s)) && object) +- memset(object + s->offset, 0, sizeof(void *)); ++ ++ maybe_wipe_obj_freeptr(s, object); + + if (unlikely(slab_want_init_on_alloc(gfpflags, s)) && object) + memset(object, 0, s->object_size); +@@ -3155,10 +3162,13 @@ int kmem_cache_alloc_bulk(struct kmem_cache *s, gfp_t flags, size_t size, + goto error; + + c = this_cpu_ptr(s->cpu_slab); ++ maybe_wipe_obj_freeptr(s, p[i]); ++ + continue; /* goto for-loop */ + } + c->freelist = get_freepointer(s, object); + p[i] = object; ++ maybe_wipe_obj_freeptr(s, p[i]); + } + c->tid = next_tid(c->tid); + local_irq_enable(); +-- +2.20.1 + diff --git a/queue-5.3/series b/queue-5.3/series index 2a9d97029dc..e068978f48f 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -77,3 +77,4 @@ media-b2c2-flexcop-usb-add-sanity-checking.patch media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch media-imon-invalid-dereference-in-imon_touch_event.patch media-mceusb-fix-out-of-bounds-read-in-mce-receiver-buffer.patch +mm-slub.c-init_on_free-1-should-wipe-freelist-ptr-fo.patch