From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
To: Michal Hocko <mhocko@suse.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org,
Ben Widawsky <ben.widawsky@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Feng Tang <feng.tang@intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Mel Gorman <mgorman@techsingularity.net>,
Mike Kravetz <mike.kravetz@oracle.com>,
Randy Dunlap <rdunlap@infradead.org>,
Vlastimil Babka <vbabka@suse.cz>, Andi Kleen <ak@linux.intel.com>,
Dan Williams <dan.j.williams@intel.com>,
Huang Ying <ying.huang@intel.com>,
linux-api@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
Date: Thu, 15 Dec 2022 19:27:59 +0530 [thread overview]
Message-ID: <87o7s46a6w.fsf@linux.ibm.com> (raw)
In-Reply-To: <Y5rR9n5HSvlATV5A@dhcp22.suse.cz>
Michal Hocko <mhocko@suse.com> writes:
> On Wed 14-12-22 17:21:10, Mathieu Desnoyers wrote:
>> When encountering any vma in the range with policy other than MPOL_BIND
>> or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
>> on the policy just allocated with mpol_dup().
>>
>> This allows arbitrary users to leak kernel memory.
>>
>> Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
>> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
>> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
>> Cc: Ben Widawsky <ben.widawsky@intel.com>
>> Cc: Dave Hansen <dave.hansen@linux.intel.com>
>> Cc: Feng Tang <feng.tang@intel.com>
>> Cc: Michal Hocko <mhocko@kernel.org>
>> Cc: Andrea Arcangeli <aarcange@redhat.com>
>> Cc: Mel Gorman <mgorman@techsingularity.net>
>> Cc: Mike Kravetz <mike.kravetz@oracle.com>
>> Cc: Randy Dunlap <rdunlap@infradead.org>
>> Cc: Vlastimil Babka <vbabka@suse.cz>
>> Cc: Andi Kleen <ak@linux.intel.com>
>> Cc: Dan Williams <dan.j.williams@intel.com>
>> Cc: Huang Ying <ying.huang@intel.com>
>> Cc: <linux-api@vger.kernel.org>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: stable@vger.kernel.org # 5.17+
>
> Acked-by: Michal Hocko <mhocko@suse.com>
> Thanks for catching this!
>
> Btw. looking at the code again it seems rather pointless to duplicate
> the policy just to throw it away anyway. A slightly bigger diff but this
> looks more reasonable to me. What do you think? I can also send it as a
> clean up on top of your fix.
> ---
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 61aa9aedb728..918cdc8a7f0c 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1489,7 +1489,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
> {
> struct mm_struct *mm = current->mm;
> struct vm_area_struct *vma;
> - struct mempolicy *new;
> + struct mempolicy *new. *old;
> unsigned long vmstart;
> unsigned long vmend;
> unsigned long end;
> @@ -1521,30 +1521,28 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
> return 0;
> mmap_write_lock(mm);
> for_each_vma_range(vmi, vma, end) {
> - vmstart = max(start, vma->vm_start);
> - vmend = min(end, vma->vm_end);
> - new = mpol_dup(vma_policy(vma));
> - if (IS_ERR(new)) {
> - err = PTR_ERR(new);
> - break;
> - }
> - /*
> - * Only update home node if there is an existing vma policy
> - */
> - if (!new)
> - continue;
> -
> /*
> * If any vma in the range got policy other than MPOL_BIND
> * or MPOL_PREFERRED_MANY we return error. We don't reset
> * the home node for vmas we already updated before.
> */
> - if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
> + old = vma_policy(vma);
> + if (!old)
> + continue;
> + if (old->mode != MPOL_BIND && old->mode != MPOL_PREFERRED_MANY) {
> err = -EOPNOTSUPP;
> break;
> }
>
> + new = mpol_dup(vma_policy(vma));
new = mpol_dup(old);
> + if (IS_ERR(new)) {
> + err = PTR_ERR(new);
> + break;
> + }
> +
> new->home_node = home_node;
> + vmstart = max(start, vma->vm_start);
> + vmend = min(end, vma->vm_end);
> err = mbind_range(mm, vmstart, vmend, new);
> mpol_put(new);
> if (err)
> --
> Michal Hocko
> SUSE Labs
next prev parent reply other threads:[~2022-12-15 13:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-14 22:21 [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Mathieu Desnoyers
2022-12-14 23:16 ` Randy Dunlap
2022-12-15 6:34 ` Huang, Ying
2022-12-15 7:51 ` Michal Hocko
2022-12-15 13:57 ` Aneesh Kumar K.V [this message]
2022-12-15 14:33 ` Mathieu Desnoyers
2022-12-15 14:49 ` [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node Michal Hocko
2022-12-15 15:14 ` kernel test robot
2022-12-15 20:00 ` Mathieu Desnoyers
2022-12-15 13:56 ` [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Aneesh Kumar K.V
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7s46a6w.fsf@linux.ibm.com \
--to=aneesh.kumar@linux.ibm.com \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=ben.widawsky@intel.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=feng.tang@intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mgorman@techsingularity.net \
--cc=mhocko@suse.com \
--cc=mike.kravetz@oracle.com \
--cc=rdunlap@infradead.org \
--cc=stable@vger.kernel.org \
--cc=vbabka@suse.cz \
--cc=ying.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.