[pve-kernel.git] / patches / kernel / 0020-mm-mempolicy-fix-memory-leak-in-set_mempolicy_home_n.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Thu, 15 Dec 2022 14:46:21 -0500
Subject: [PATCH] mm/mempolicy: fix memory leak in set_mempolicy_home_node
 system call

commit 38ce7c9bdfc228c14d7621ba36d3eebedd9d4f76 upstream.

When encountering any vma in the range with policy other than MPOL_BIND or
MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put on
the policy just allocated with mpol_dup().

This allows arbitrary users to leak kernel memory.

Link: https://lkml.kernel.org/r/20221215194621.202816-1-mathieu.desnoyers@efficios.com
Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Feng Tang <feng.tang@intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: <stable@vger.kernel.org>	[5.17+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 0ce4cc6d269ddc448a825955b495f662f5d9e153)
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 mm/mempolicy.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 61aa9aedb728..02c8a712282f 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1540,6 +1540,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
 		 * the home node for vmas we already updated before.
 		 */
 		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
+			mpol_put(new);
 			err = -EOPNOTSUPP;
 			break;
 		}
Commit	Line	Data
4d1db308 TL	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
	3	Date: Thu, 15 Dec 2022 14:46:21 -0500
	4	Subject: [PATCH] mm/mempolicy: fix memory leak in set_mempolicy_home_node
	5	system call
	6
	7	commit 38ce7c9bdfc228c14d7621ba36d3eebedd9d4f76 upstream.
	8
	9	When encountering any vma in the range with policy other than MPOL_BIND or
	10	MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put on
	11	the policy just allocated with mpol_dup().
	12
	13	This allows arbitrary users to leak kernel memory.
	14
	15	Link: https://lkml.kernel.org/r/20221215194621.202816-1-mathieu.desnoyers@efficios.com
	16	Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
	17	Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
	18	Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
	19	Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
	20	Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
	21	Acked-by: Michal Hocko <mhocko@suse.com>
	22	Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
	23	Cc: Dave Hansen <dave.hansen@linux.intel.com>
	24	Cc: Feng Tang <feng.tang@intel.com>
	25	Cc: Michal Hocko <mhocko@kernel.org>
	26	Cc: Andrea Arcangeli <aarcange@redhat.com>
	27	Cc: Mel Gorman <mgorman@techsingularity.net>
	28	Cc: Mike Kravetz <mike.kravetz@oracle.com>
	29	Cc: Randy Dunlap <rdunlap@infradead.org>
	30	Cc: Vlastimil Babka <vbabka@suse.cz>
	31	Cc: Andi Kleen <ak@linux.intel.com>
	32	Cc: Dan Williams <dan.j.williams@intel.com>
	33	Cc: Huang Ying <ying.huang@intel.com>
	34	Cc: <stable@vger.kernel.org> [5.17+]
	35	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37	(cherry picked from commit 0ce4cc6d269ddc448a825955b495f662f5d9e153)
	38	Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
	39	---
	40	mm/mempolicy.c \| 1 +
	41	1 file changed, 1 insertion(+)
	42
	43	diff --git a/mm/mempolicy.c b/mm/mempolicy.c
	44	index 61aa9aedb728..02c8a712282f 100644
	45	--- a/mm/mempolicy.c
	46	+++ b/mm/mempolicy.c
	47	@@ -1540,6 +1540,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
	48	* the home node for vmas we already updated before.
	49	*/
	50	if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
	51	+ mpol_put(new);
	52	err = -EOPNOTSUPP;
	53	break;
	54	}