From 3d50a059bfd78a5033fbd642b77435c4ce9df053 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Apr 2020 16:56:29 +0200
Subject: [PATCH] 5.6-stable patches

added patches:
	mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
---
 ...-least-one-nodeid-for-mpol_preferred.patch | 57 +++++++++++++++++++
 queue-5.6/series                              |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 queue-5.6/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch

diff --git a/queue-5.6/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch b/queue-5.6/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
new file mode 100644
index 00000000000..a800e97d886
--- /dev/null
+++ b/queue-5.6/mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
@@ -0,0 +1,57 @@
+From aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 1 Apr 2020 21:10:58 -0700
+Subject: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd upstream.
+
+Using an empty (malformed) nodelist that is not caught during mount option
+parsing leads to a stack-out-of-bounds access.
+
+The option string that was used was: "mpol=prefer:,".  However,
+MPOL_PREFERRED requires a single node number, which is not being provided
+here.
+
+Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's
+nodeid.
+
+Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display")
+Reported-by: Entropy Moe <3ntr0py1337@gmail.com>
+Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com
+Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
+Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/mempolicy.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -2841,7 +2841,9 @@ int mpol_parse_str(char *str, struct mem
+ 	switch (mode) {
+ 	case MPOL_PREFERRED:
+ 		/*
+-		 * Insist on a nodelist of one node only
++		 * Insist on a nodelist of one node only, although later
++		 * we use first_node(nodes) to grab a single node, so here
++		 * nodelist (or nodes) cannot be empty.
+ 		 */
+ 		if (nodelist) {
+ 			char *rest = nodelist;
+@@ -2849,6 +2851,8 @@ int mpol_parse_str(char *str, struct mem
+ 				rest++;
+ 			if (*rest)
+ 				goto out;
++			if (nodes_empty(nodes))
++				goto out;
+ 		}
+ 		break;
+ 	case MPOL_INTERLEAVE:
diff --git a/queue-5.6/series b/queue-5.6/series
index 1ac8d705a1b..51085315d12 100644
--- a/queue-5.6/series
+++ b/queue-5.6/series
@@ -27,3 +27,4 @@ revert-dm-always-call-blk_queue_split-in-dm_process_bio.patch
 alsa-hda-ca0132-add-recon3di-quirk-to-handle-integrated-sound-on-evga-x99-classified-motherboard.patch
 soc-mediatek-knows_txdone-needs-to-be-set-in-mediatek-cmdq-helper.patch
 perf-python-fix-clang-detection-to-strip-out-options-passed-in-cc.patch
+mm-mempolicy-require-at-least-one-nodeid-for-mpol_preferred.patch
-- 
2.47.3