[RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home

All of lore.kernel.org
 help / color / mirror / Atom feed

* [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
@ 2022-12-14 22:21 Mathieu Desnoyers
  2022-12-14 23:16 ` Randy Dunlap
                   ` (3 more replies)
  0 siblings, 4 replies; 10+ messages in thread
From: Mathieu Desnoyers @ 2022-12-14 22:21 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-kernel, Mathieu Desnoyers, Aneesh Kumar K . V, Ben Widawsky,
	Dave Hansen, Feng Tang, Michal Hocko, Andrea Arcangeli,
	Mel Gorman, Mike Kravetz, Randy Dunlap, Vlastimil Babka,
	Andi Kleen, Dan Williams, Huang Ying, linux-api, stable

When encountering any vma in the range with policy other than MPOL_BIND
or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
on the policy just allocated with mpol_dup().

This allows arbitrary users to leak kernel memory.

Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Cc: Ben Widawsky <ben.widawsky@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Feng Tang <feng.tang@intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: <linux-api@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org # 5.17+
---
 mm/mempolicy.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 61aa9aedb728..02c8a712282f 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1540,6 +1540,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
 		 * the home node for vmas we already updated before.
 		 */
 		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
+			mpol_put(new);
 			err = -EOPNOTSUPP;
 			break;
 		}
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
  2022-12-14 22:21 [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Mathieu Desnoyers
@ 2022-12-14 23:16 ` Randy Dunlap
  2022-12-15  6:34 ` Huang, Ying
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 10+ messages in thread
From: Randy Dunlap @ 2022-12-14 23:16 UTC (permalink / raw)
  To: Mathieu Desnoyers, Andrew Morton
  Cc: linux-kernel, Aneesh Kumar K . V, Ben Widawsky, Dave Hansen,
	Feng Tang, Michal Hocko, Andrea Arcangeli, Mel Gorman,
	Mike Kravetz, Vlastimil Babka, Andi Kleen, Dan Williams,
	Huang Ying, linux-api, stable



On 12/14/22 14:21, Mathieu Desnoyers wrote:
> When encountering any vma in the range with policy other than MPOL_BIND
> or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
> on the policy just allocated with mpol_dup().
> 
> This allows arbitrary users to leak kernel memory.
> 
> Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
> Cc: Ben Widawsky <ben.widawsky@intel.com>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Feng Tang <feng.tang@intel.com>
> Cc: Michal Hocko <mhocko@kernel.org>
> Cc: Andrea Arcangeli <aarcange@redhat.com>
> Cc: Mel Gorman <mgorman@techsingularity.net>
> Cc: Mike Kravetz <mike.kravetz@oracle.com>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Andi Kleen <ak@linux.intel.com>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: Huang Ying <ying.huang@intel.com>
> Cc: <linux-api@vger.kernel.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: stable@vger.kernel.org # 5.17+

Reviewed-by: Randy Dunlap <rdunlap@infradead.org>

Thanks.

> ---
>  mm/mempolicy.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 61aa9aedb728..02c8a712282f 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1540,6 +1540,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>  		 * the home node for vmas we already updated before.
>  		 */
>  		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
> +			mpol_put(new);
>  			err = -EOPNOTSUPP;
>  			break;
>  		}

-- 
~Randy

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
  2022-12-14 22:21 [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Mathieu Desnoyers
  2022-12-14 23:16 ` Randy Dunlap
@ 2022-12-15  6:34 ` Huang, Ying
  2022-12-15  7:51 ` Michal Hocko
  2022-12-15 13:56 ` [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Aneesh Kumar K.V
  3 siblings, 0 replies; 10+ messages in thread
From: Huang, Ying @ 2022-12-15  6:34 UTC (permalink / raw)
  To: Mathieu Desnoyers
  Cc: Andrew Morton, linux-kernel, Aneesh Kumar K . V, Ben Widawsky,
	Dave Hansen, Feng Tang, Michal Hocko, Andrea Arcangeli,
	Mel Gorman, Mike Kravetz, Randy Dunlap, Vlastimil Babka,
	Andi Kleen, Dan Williams, linux-api, stable

Mathieu Desnoyers <mathieu.desnoyers@efficios.com> writes:

> When encountering any vma in the range with policy other than MPOL_BIND
> or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
> on the policy just allocated with mpol_dup().
>
> This allows arbitrary users to leak kernel memory.
>
> Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
> Cc: Ben Widawsky <ben.widawsky@intel.com>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Feng Tang <feng.tang@intel.com>
> Cc: Michal Hocko <mhocko@kernel.org>
> Cc: Andrea Arcangeli <aarcange@redhat.com>
> Cc: Mel Gorman <mgorman@techsingularity.net>
> Cc: Mike Kravetz <mike.kravetz@oracle.com>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Andi Kleen <ak@linux.intel.com>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: Huang Ying <ying.huang@intel.com>
> Cc: <linux-api@vger.kernel.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: stable@vger.kernel.org # 5.17+

Reviewed-by: "Huang, Ying" <ying.huang@intel.com>

Thanks!

> ---
>  mm/mempolicy.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 61aa9aedb728..02c8a712282f 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1540,6 +1540,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>  		 * the home node for vmas we already updated before.
>  		 */
>  		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
> +			mpol_put(new);
>  			err = -EOPNOTSUPP;
>  			break;
>  		}

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
  2022-12-14 22:21 [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Mathieu Desnoyers
  2022-12-14 23:16 ` Randy Dunlap
  2022-12-15  6:34 ` Huang, Ying
@ 2022-12-15  7:51 ` Michal Hocko
  2022-12-15 13:57   ` Aneesh Kumar K.V
  2022-12-15 14:33   ` Mathieu Desnoyers
  2022-12-15 13:56 ` [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Aneesh Kumar K.V
  3 siblings, 2 replies; 10+ messages in thread
From: Michal Hocko @ 2022-12-15  7:51 UTC (permalink / raw)
  To: Mathieu Desnoyers
  Cc: Andrew Morton, linux-kernel, Aneesh Kumar K . V, Ben Widawsky,
	Dave Hansen, Feng Tang, Andrea Arcangeli, Mel Gorman,
	Mike Kravetz, Randy Dunlap, Vlastimil Babka, Andi Kleen,
	Dan Williams, Huang Ying, linux-api, stable

On Wed 14-12-22 17:21:10, Mathieu Desnoyers wrote:
> When encountering any vma in the range with policy other than MPOL_BIND
> or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
> on the policy just allocated with mpol_dup().
> 
> This allows arbitrary users to leak kernel memory.
> 
> Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
> Cc: Ben Widawsky <ben.widawsky@intel.com>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Feng Tang <feng.tang@intel.com>
> Cc: Michal Hocko <mhocko@kernel.org>
> Cc: Andrea Arcangeli <aarcange@redhat.com>
> Cc: Mel Gorman <mgorman@techsingularity.net>
> Cc: Mike Kravetz <mike.kravetz@oracle.com>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Andi Kleen <ak@linux.intel.com>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: Huang Ying <ying.huang@intel.com>
> Cc: <linux-api@vger.kernel.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: stable@vger.kernel.org # 5.17+

Acked-by: Michal Hocko <mhocko@suse.com>
Thanks for catching this!

Btw. looking at the code again it seems rather pointless to duplicate
the policy just to throw it away anyway. A slightly bigger diff but this
looks more reasonable to me. What do you think? I can also send it as a
clean up on top of your fix.
---
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 61aa9aedb728..918cdc8a7f0c 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1489,7 +1489,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
 {
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma;
-	struct mempolicy *new;
+	struct mempolicy *new. *old;
 	unsigned long vmstart;
 	unsigned long vmend;
 	unsigned long end;
@@ -1521,30 +1521,28 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
 		return 0;
 	mmap_write_lock(mm);
 	for_each_vma_range(vmi, vma, end) {
-		vmstart = max(start, vma->vm_start);
-		vmend   = min(end, vma->vm_end);
-		new = mpol_dup(vma_policy(vma));
-		if (IS_ERR(new)) {
-			err = PTR_ERR(new);
-			break;
-		}
-		/*
-		 * Only update home node if there is an existing vma policy
-		 */
-		if (!new)
-			continue;
-
 		/*
 		 * If any vma in the range got policy other than MPOL_BIND
 		 * or MPOL_PREFERRED_MANY we return error. We don't reset
 		 * the home node for vmas we already updated before.
 		 */
-		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
+		old = vma_policy(vma);
+		if (!old)
+			continue;
+		if (old->mode != MPOL_BIND && old->mode != MPOL_PREFERRED_MANY) {
 			err = -EOPNOTSUPP;
 			break;
 		}
 
+		new = mpol_dup(vma_policy(vma));
+		if (IS_ERR(new)) {
+			err = PTR_ERR(new);
+			break;
+		}
+
 		new->home_node = home_node;
+		vmstart = max(start, vma->vm_start);
+		vmend   = min(end, vma->vm_end);
 		err = mbind_range(mm, vmstart, vmend, new);
 		mpol_put(new);
 		if (err)
-- 
Michal Hocko
SUSE Labs

^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
  2022-12-15  7:51 ` Michal Hocko
@ 2022-12-15 13:57   ` Aneesh Kumar K.V
  2022-12-15 14:33   ` Mathieu Desnoyers
  1 sibling, 0 replies; 10+ messages in thread
From: Aneesh Kumar K.V @ 2022-12-15 13:57 UTC (permalink / raw)
  To: Michal Hocko, Mathieu Desnoyers
  Cc: Andrew Morton, linux-kernel, Ben Widawsky, Dave Hansen, Feng Tang,
	Andrea Arcangeli, Mel Gorman, Mike Kravetz, Randy Dunlap,
	Vlastimil Babka, Andi Kleen, Dan Williams, Huang Ying, linux-api,
	stable

Michal Hocko <mhocko@suse.com> writes:

> On Wed 14-12-22 17:21:10, Mathieu Desnoyers wrote:
>> When encountering any vma in the range with policy other than MPOL_BIND
>> or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
>> on the policy just allocated with mpol_dup().
>> 
>> This allows arbitrary users to leak kernel memory.
>> 
>> Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
>> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
>> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
>> Cc: Ben Widawsky <ben.widawsky@intel.com>
>> Cc: Dave Hansen <dave.hansen@linux.intel.com>
>> Cc: Feng Tang <feng.tang@intel.com>
>> Cc: Michal Hocko <mhocko@kernel.org>
>> Cc: Andrea Arcangeli <aarcange@redhat.com>
>> Cc: Mel Gorman <mgorman@techsingularity.net>
>> Cc: Mike Kravetz <mike.kravetz@oracle.com>
>> Cc: Randy Dunlap <rdunlap@infradead.org>
>> Cc: Vlastimil Babka <vbabka@suse.cz>
>> Cc: Andi Kleen <ak@linux.intel.com>
>> Cc: Dan Williams <dan.j.williams@intel.com>
>> Cc: Huang Ying <ying.huang@intel.com>
>> Cc: <linux-api@vger.kernel.org>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: stable@vger.kernel.org # 5.17+
>
> Acked-by: Michal Hocko <mhocko@suse.com>
> Thanks for catching this!
>
> Btw. looking at the code again it seems rather pointless to duplicate
> the policy just to throw it away anyway. A slightly bigger diff but this
> looks more reasonable to me. What do you think? I can also send it as a
> clean up on top of your fix.
> ---
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 61aa9aedb728..918cdc8a7f0c 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1489,7 +1489,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>  {
>  	struct mm_struct *mm = current->mm;
>  	struct vm_area_struct *vma;
> -	struct mempolicy *new;
> +	struct mempolicy *new. *old;
>  	unsigned long vmstart;
>  	unsigned long vmend;
>  	unsigned long end;
> @@ -1521,30 +1521,28 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>  		return 0;
>  	mmap_write_lock(mm);
>  	for_each_vma_range(vmi, vma, end) {
> -		vmstart = max(start, vma->vm_start);
> -		vmend   = min(end, vma->vm_end);
> -		new = mpol_dup(vma_policy(vma));
> -		if (IS_ERR(new)) {
> -			err = PTR_ERR(new);
> -			break;
> -		}
> -		/*
> -		 * Only update home node if there is an existing vma policy
> -		 */
> -		if (!new)
> -			continue;
> -
>  		/*
>  		 * If any vma in the range got policy other than MPOL_BIND
>  		 * or MPOL_PREFERRED_MANY we return error. We don't reset
>  		 * the home node for vmas we already updated before.
>  		 */
> -		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
> +		old = vma_policy(vma);
> +		if (!old)
> +			continue;
> +		if (old->mode != MPOL_BIND && old->mode != MPOL_PREFERRED_MANY) {
>  			err = -EOPNOTSUPP;
>  			break;
>  		}
>  
> +		new = mpol_dup(vma_policy(vma));

		new = mpol_dup(old);

> +		if (IS_ERR(new)) {
> +			err = PTR_ERR(new);
> +			break;
> +		}
> +
>  		new->home_node = home_node;
> +		vmstart = max(start, vma->vm_start);
> +		vmend   = min(end, vma->vm_end);
>  		err = mbind_range(mm, vmstart, vmend, new);
>  		mpol_put(new);
>  		if (err)
> -- 
> Michal Hocko
> SUSE Labs

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
  2022-12-15  7:51 ` Michal Hocko
  2022-12-15 13:57   ` Aneesh Kumar K.V
@ 2022-12-15 14:33   ` Mathieu Desnoyers
  2022-12-15 14:49     ` [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node Michal Hocko
  1 sibling, 1 reply; 10+ messages in thread
From: Mathieu Desnoyers @ 2022-12-15 14:33 UTC (permalink / raw)
  To: Michal Hocko
  Cc: Andrew Morton, linux-kernel, Aneesh Kumar K . V, Ben Widawsky,
	Dave Hansen, Feng Tang, Andrea Arcangeli, Mel Gorman,
	Mike Kravetz, Randy Dunlap, Vlastimil Babka, Andi Kleen,
	Dan Williams, Huang Ying, linux-api, stable

On 2022-12-15 02:51, Michal Hocko wrote:
> On Wed 14-12-22 17:21:10, Mathieu Desnoyers wrote:
>> When encountering any vma in the range with policy other than MPOL_BIND
>> or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
>> on the policy just allocated with mpol_dup().
>>
>> This allows arbitrary users to leak kernel memory.
>>
>> Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
>> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
>> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
>> Cc: Ben Widawsky <ben.widawsky@intel.com>
>> Cc: Dave Hansen <dave.hansen@linux.intel.com>
>> Cc: Feng Tang <feng.tang@intel.com>
>> Cc: Michal Hocko <mhocko@kernel.org>
>> Cc: Andrea Arcangeli <aarcange@redhat.com>
>> Cc: Mel Gorman <mgorman@techsingularity.net>
>> Cc: Mike Kravetz <mike.kravetz@oracle.com>
>> Cc: Randy Dunlap <rdunlap@infradead.org>
>> Cc: Vlastimil Babka <vbabka@suse.cz>
>> Cc: Andi Kleen <ak@linux.intel.com>
>> Cc: Dan Williams <dan.j.williams@intel.com>
>> Cc: Huang Ying <ying.huang@intel.com>
>> Cc: <linux-api@vger.kernel.org>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: stable@vger.kernel.org # 5.17+
> 
> Acked-by: Michal Hocko <mhocko@suse.com>
> Thanks for catching this!
> 
> Btw. looking at the code again it seems rather pointless to duplicate
> the policy just to throw it away anyway. A slightly bigger diff but this
> looks more reasonable to me. What do you think? I can also send it as a
> clean up on top of your fix.

I think it would be best if this comes as a cleanup on top of my fix. 
The diff is larger than the minimal change needed to fix the leak in 
stable branches.

Your approach looks fine, except for the vma_policy(vma) -> old change 
already spotted by Aneesh.

Thanks,

Mathieu

> ---
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 61aa9aedb728..918cdc8a7f0c 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1489,7 +1489,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>   {
>   	struct mm_struct *mm = current->mm;
>   	struct vm_area_struct *vma;
> -	struct mempolicy *new;
> +	struct mempolicy *new. *old;
>   	unsigned long vmstart;
>   	unsigned long vmend;
>   	unsigned long end;
> @@ -1521,30 +1521,28 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>   		return 0;
>   	mmap_write_lock(mm);
>   	for_each_vma_range(vmi, vma, end) {
> -		vmstart = max(start, vma->vm_start);
> -		vmend   = min(end, vma->vm_end);
> -		new = mpol_dup(vma_policy(vma));
> -		if (IS_ERR(new)) {
> -			err = PTR_ERR(new);
> -			break;
> -		}
> -		/*
> -		 * Only update home node if there is an existing vma policy
> -		 */
> -		if (!new)
> -			continue;
> -
>   		/*
>   		 * If any vma in the range got policy other than MPOL_BIND
>   		 * or MPOL_PREFERRED_MANY we return error. We don't reset
>   		 * the home node for vmas we already updated before.
>   		 */
> -		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
> +		old = vma_policy(vma);
> +		if (!old)
> +			continue;
> +		if (old->mode != MPOL_BIND && old->mode != MPOL_PREFERRED_MANY) {
>   			err = -EOPNOTSUPP;
>   			break;
>   		}
>   
> +		new = mpol_dup(vma_policy(vma));
> +		if (IS_ERR(new)) {
> +			err = PTR_ERR(new);
> +			break;
> +		}
> +
>   		new->home_node = home_node;
> +		vmstart = max(start, vma->vm_start);
> +		vmend   = min(end, vma->vm_end);
>   		err = mbind_range(mm, vmstart, vmend, new);
>   		mpol_put(new);
>   		if (err)

-- 
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node
  2022-12-15 14:33   ` Mathieu Desnoyers
@ 2022-12-15 14:49     ` Michal Hocko
  2022-12-15 15:14       ` kernel test robot
  2022-12-15 20:00       ` Mathieu Desnoyers
  0 siblings, 2 replies; 10+ messages in thread
From: Michal Hocko @ 2022-12-15 14:49 UTC (permalink / raw)
  To: Mathieu Desnoyers
  Cc: Andrew Morton, linux-kernel, Aneesh Kumar K . V, Ben Widawsky,
	Dave Hansen, Feng Tang, Andrea Arcangeli, Mel Gorman,
	Mike Kravetz, Randy Dunlap, Vlastimil Babka, Andi Kleen,
	Dan Williams, Huang Ying, linux-api, stable

On Thu 15-12-22 09:33:54, Mathieu Desnoyers wrote:
> On 2022-12-15 02:51, Michal Hocko wrote:
[...]
> > Btw. looking at the code again it seems rather pointless to duplicate
> > the policy just to throw it away anyway. A slightly bigger diff but this
> > looks more reasonable to me. What do you think? I can also send it as a
> > clean up on top of your fix.
> 
> I think it would be best if this comes as a cleanup on top of my fix. The
> diff is larger than the minimal change needed to fix the leak in stable
> branches.
> 
> Your approach looks fine, except for the vma_policy(vma) -> old change
> already spotted by Aneesh.

This shouldn't have any real effect on the functionality. Anyway, here
is a follow up cleanup:
--- 
From f3fdb6f65fa3977aab13378b8e299b168719577c Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
Date: Thu, 15 Dec 2022 15:41:27 +0100
Subject: [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable
 for set_mempolicy_home_node

set_mempolicy_home_node tries to duplicate a memory policy before
checking it whether it is applicable for the operation. There is
no real reason for doing that and it might actually be a pointless
memory allocation and deallocation exercise for MPOL_INTERLEAVE.

Not a big problem but we can do better. Simply check the policy before
acting on it.

Signed-off-by: Michal Hocko <mhocko@suse.com>
---
 mm/mempolicy.c | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 02c8a712282f..becf41e10076 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1489,7 +1489,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
 {
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma;
-	struct mempolicy *new;
+	struct mempolicy *new, *old;
 	unsigned long vmstart;
 	unsigned long vmend;
 	unsigned long end;
@@ -1521,31 +1521,27 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
 		return 0;
 	mmap_write_lock(mm);
 	for_each_vma_range(vmi, vma, end) {
-		vmstart = max(start, vma->vm_start);
-		vmend   = min(end, vma->vm_end);
-		new = mpol_dup(vma_policy(vma));
-		if (IS_ERR(new)) {
-			err = PTR_ERR(new);
-			break;
-		}
-		/*
-		 * Only update home node if there is an existing vma policy
-		 */
-		if (!new)
-			continue;
-
 		/*
 		 * If any vma in the range got policy other than MPOL_BIND
 		 * or MPOL_PREFERRED_MANY we return error. We don't reset
 		 * the home node for vmas we already updated before.
 		 */
-		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
-			mpol_put(new);
+		old = vma_policy(vma);
+		if (!old)
+			continue;
+		if (old->mode != MPOL_BIND && old->mode != MPOL_PREFERRED_MANY) {
 			err = -EOPNOTSUPP;
 			break;
 		}
+		new = mpol_dup(old);
+		if (IS_ERR(new)) {
+			err = PTR_ERR(new);
+			break;
+		}
 
 		new->home_node = home_node;
+		vmstart = max(start, vma->vm_start);
+		vmend   = min(end, vma->vm_end);
 		err = mbind_range(mm, vmstart, vmend, new);
 		mpol_put(new);
 		if (err)
-- 
2.30.2

-- 
Michal Hocko
SUSE Labs

^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node
  2022-12-15 14:49     ` [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node Michal Hocko
@ 2022-12-15 15:14       ` kernel test robot
  2022-12-15 20:00       ` Mathieu Desnoyers
  1 sibling, 0 replies; 10+ messages in thread
From: kernel test robot @ 2022-12-15 15:14 UTC (permalink / raw)
  To: Michal Hocko; +Cc: stable, oe-kbuild-all

Hi,

Thanks for your patch.

FYI: kernel test robot notices the stable kernel rule is not satisfied.

Rule: 'Cc: stable@vger.kernel.org' or 'commit <sha1> upstream.'
Subject: [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node
Link: https://lore.kernel.org/stable/Y5sz3Ax%2BtONdWgbN%40dhcp22.suse.cz

The check is based on https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp




^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node
  2022-12-15 14:49     ` [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node Michal Hocko
  2022-12-15 15:14       ` kernel test robot
@ 2022-12-15 20:00       ` Mathieu Desnoyers
  1 sibling, 0 replies; 10+ messages in thread
From: Mathieu Desnoyers @ 2022-12-15 20:00 UTC (permalink / raw)
  To: Michal Hocko
  Cc: Andrew Morton, linux-kernel, Aneesh Kumar K . V, Ben Widawsky,
	Dave Hansen, Feng Tang, Andrea Arcangeli, Mel Gorman,
	Mike Kravetz, Randy Dunlap, Vlastimil Babka, Andi Kleen,
	Dan Williams, Huang Ying, linux-api, stable

On 2022-12-15 09:49, Michal Hocko wrote:
> On Thu 15-12-22 09:33:54, Mathieu Desnoyers wrote:
>> On 2022-12-15 02:51, Michal Hocko wrote:
> [...]
>>> Btw. looking at the code again it seems rather pointless to duplicate
>>> the policy just to throw it away anyway. A slightly bigger diff but this
>>> looks more reasonable to me. What do you think? I can also send it as a
>>> clean up on top of your fix.
>>
>> I think it would be best if this comes as a cleanup on top of my fix. The
>> diff is larger than the minimal change needed to fix the leak in stable
>> branches.
>>
>> Your approach looks fine, except for the vma_policy(vma) -> old change
>> already spotted by Aneesh.
> 
> This shouldn't have any real effect on the functionality. Anyway, here
> is a follow up cleanup:
> ---
>  From f3fdb6f65fa3977aab13378b8e299b168719577c Mon Sep 17 00:00:00 2001
> From: Michal Hocko <mhocko@suse.com>
> Date: Thu, 15 Dec 2022 15:41:27 +0100
> Subject: [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable
>   for set_mempolicy_home_node
> 
> set_mempolicy_home_node tries to duplicate a memory policy before
> checking it whether it is applicable for the operation. There is
> no real reason for doing that and it might actually be a pointless
> memory allocation and deallocation exercise for MPOL_INTERLEAVE.
> 
> Not a big problem but we can do better. Simply check the policy before
> acting on it.
> 
> Signed-off-by: Michal Hocko <mhocko@suse.com>

Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

> ---
>   mm/mempolicy.c | 28 ++++++++++++----------------
>   1 file changed, 12 insertions(+), 16 deletions(-)
> 
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 02c8a712282f..becf41e10076 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1489,7 +1489,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>   {
>   	struct mm_struct *mm = current->mm;
>   	struct vm_area_struct *vma;
> -	struct mempolicy *new;
> +	struct mempolicy *new, *old;
>   	unsigned long vmstart;
>   	unsigned long vmend;
>   	unsigned long end;
> @@ -1521,31 +1521,27 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>   		return 0;
>   	mmap_write_lock(mm);
>   	for_each_vma_range(vmi, vma, end) {
> -		vmstart = max(start, vma->vm_start);
> -		vmend   = min(end, vma->vm_end);
> -		new = mpol_dup(vma_policy(vma));
> -		if (IS_ERR(new)) {
> -			err = PTR_ERR(new);
> -			break;
> -		}
> -		/*
> -		 * Only update home node if there is an existing vma policy
> -		 */
> -		if (!new)
> -			continue;
> -
>   		/*
>   		 * If any vma in the range got policy other than MPOL_BIND
>   		 * or MPOL_PREFERRED_MANY we return error. We don't reset
>   		 * the home node for vmas we already updated before.
>   		 */
> -		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
> -			mpol_put(new);
> +		old = vma_policy(vma);
> +		if (!old)
> +			continue;
> +		if (old->mode != MPOL_BIND && old->mode != MPOL_PREFERRED_MANY) {
>   			err = -EOPNOTSUPP;
>   			break;
>   		}
> +		new = mpol_dup(old);
> +		if (IS_ERR(new)) {
> +			err = PTR_ERR(new);
> +			break;
> +		}
>   
>   		new->home_node = home_node;
> +		vmstart = max(start, vma->vm_start);
> +		vmend   = min(end, vma->vm_end);
>   		err = mbind_range(mm, vmstart, vmend, new);
>   		mpol_put(new);
>   		if (err)

-- 
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call
  2022-12-14 22:21 [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Mathieu Desnoyers
                   ` (2 preceding siblings ...)
  2022-12-15  7:51 ` Michal Hocko
@ 2022-12-15 13:56 ` Aneesh Kumar K.V
  3 siblings, 0 replies; 10+ messages in thread
From: Aneesh Kumar K.V @ 2022-12-15 13:56 UTC (permalink / raw)
  To: Mathieu Desnoyers, Andrew Morton
  Cc: linux-kernel, Mathieu Desnoyers, Ben Widawsky, Dave Hansen,
	Feng Tang, Michal Hocko, Andrea Arcangeli, Mel Gorman,
	Mike Kravetz, Randy Dunlap, Vlastimil Babka, Andi Kleen,
	Dan Williams, Huang Ying, linux-api, stable

Mathieu Desnoyers <mathieu.desnoyers@efficios.com> writes:

> When encountering any vma in the range with policy other than MPOL_BIND
> or MPOL_PREFERRED_MANY, an error is returned without issuing a mpol_put
> on the policy just allocated with mpol_dup().
>
> This allows arbitrary users to leak kernel memory.
>

Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>

> Fixes: c6018b4b2549 ("mm/mempolicy: add set_mempolicy_home_node syscall")
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
> Cc: Ben Widawsky <ben.widawsky@intel.com>
> Cc: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Feng Tang <feng.tang@intel.com>
> Cc: Michal Hocko <mhocko@kernel.org>
> Cc: Andrea Arcangeli <aarcange@redhat.com>
> Cc: Mel Gorman <mgorman@techsingularity.net>
> Cc: Mike Kravetz <mike.kravetz@oracle.com>
> Cc: Randy Dunlap <rdunlap@infradead.org>
> Cc: Vlastimil Babka <vbabka@suse.cz>
> Cc: Andi Kleen <ak@linux.intel.com>
> Cc: Dan Williams <dan.j.williams@intel.com>
> Cc: Huang Ying <ying.huang@intel.com>
> Cc: <linux-api@vger.kernel.org>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: stable@vger.kernel.org # 5.17+
> ---
>  mm/mempolicy.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 61aa9aedb728..02c8a712282f 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1540,6 +1540,7 @@ SYSCALL_DEFINE4(set_mempolicy_home_node, unsigned long, start, unsigned long, le
>  		 * the home node for vmas we already updated before.
>  		 */
>  		if (new->mode != MPOL_BIND && new->mode != MPOL_PREFERRED_MANY) {
> +			mpol_put(new);
>  			err = -EOPNOTSUPP;
>  			break;
>  		}
> -- 
> 2.25.1

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2022-12-15 19:59 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-12-14 22:21 [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Mathieu Desnoyers
2022-12-14 23:16 ` Randy Dunlap
2022-12-15  6:34 ` Huang, Ying
2022-12-15  7:51 ` Michal Hocko
2022-12-15 13:57   ` Aneesh Kumar K.V
2022-12-15 14:33   ` Mathieu Desnoyers
2022-12-15 14:49     ` [PATCH] mm/mempolicy: do not duplicate policy if it is not applicable for set_mempolicy_home_node Michal Hocko
2022-12-15 15:14       ` kernel test robot
2022-12-15 20:00       ` Mathieu Desnoyers
2022-12-15 13:56 ` [RFC PATCH] mm/mempolicy: Fix memory leak in set_mempolicy_home_node system call Aneesh Kumar K.V

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.