[ 102/122] mempolicy: fix refcount leak in mpol_set_shared_policy()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	alan@lxorguk.ukuu.org.uk,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Mel Gorman <mgorman@suse.de>, Christoph Lameter <cl@linux.com>,
	Josh Boyer <jwboyer@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>
Subject: [ 102/122] mempolicy: fix refcount leak in mpol_set_shared_policy()
Date: Thu, 11 Oct 2012 07:54:28 +0900	[thread overview]
Message-ID: <20121010225356.405642481@linuxfoundation.org> (raw)
In-Reply-To: <20121010225337.989799482@linuxfoundation.org>

3.6-stable review patch.  If anyone has any objections, please let me know.

------------------

From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>

commit 63f74ca21f1fad36d075e063f06dcc6d39fe86b2 upstream.

When shared_policy_replace() fails to allocate new->policy is not freed
correctly by mpol_set_shared_policy().  The problem is that shared
mempolicy code directly call kmem_cache_free() in multiple places where
it is easy to make a mistake.

This patch creates an sp_free wrapper function and uses it. The bug was
introduced pre-git age (IOW, before 2.6.12-rc2).

[mgorman@suse.de: Editted changelog]
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Christoph Lameter <cl@linux.com>
Cc: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/mempolicy.c |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2157,12 +2157,17 @@ mpol_shared_policy_lookup(struct shared_
 	return pol;
 }
 
+static void sp_free(struct sp_node *n)
+{
+	mpol_put(n->policy);
+	kmem_cache_free(sn_cache, n);
+}
+
 static void sp_delete(struct shared_policy *sp, struct sp_node *n)
 {
 	pr_debug("deleting %lx-l%lx\n", n->start, n->end);
 	rb_erase(&n->nd, &sp->root);
-	mpol_put(n->policy);
-	kmem_cache_free(sn_cache, n);
+	sp_free(n);
 }
 
 static struct sp_node *sp_alloc(unsigned long start, unsigned long end,
@@ -2301,7 +2306,7 @@ int mpol_set_shared_policy(struct shared
 	}
 	err = shared_policy_replace(info, vma->vm_pgoff, vma->vm_pgoff+sz, new);
 	if (err && new)
-		kmem_cache_free(sn_cache, new);
+		sp_free(new);
 	return err;
 }
 
@@ -2318,9 +2323,7 @@ void mpol_free_shared_policy(struct shar
 	while (next) {
 		n = rb_entry(next, struct sp_node, nd);
 		next = rb_next(&n->nd);
-		rb_erase(&n->nd, &p->root);
-		mpol_put(n->policy);
-		kmem_cache_free(sn_cache, n);
+		sp_delete(p, n);
 	}
 	mutex_unlock(&p->mutex);
 }

next prev parent reply	other threads:[~2012-10-11  0:25 UTC|newest]

Thread overview: 122+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-10-10 22:52 [ 000/122] 3.6.2-stable review Greg Kroah-Hartman
2012-10-10 22:52 ` [ 001/122] mn10300: only add -mmem-funcs to KBUILD_CFLAGS if gcc supports it Greg Kroah-Hartman
2012-10-10 22:52 ` [ 002/122] kbuild: make: fix if_changed when command contains backslashes Greg Kroah-Hartman
2012-10-10 22:52 ` [ 003/122] kbuild: Do not package /boot and /lib in make tar-pkg Greg Kroah-Hartman
2012-10-10 22:52 ` [ 004/122] kbuild: Fix gcc -x syntax Greg Kroah-Hartman
2012-10-10 22:52 ` [ 005/122] i2c-piix4: Fix build failure Greg Kroah-Hartman
2012-10-10 22:52 ` [ 006/122] slab: fix the DEADLOCK issue on l3 alien lock Greg Kroah-Hartman
2012-10-10 22:52 ` [ 007/122] powerpc/iommu: Fix multiple issues with IOMMU pools code Greg Kroah-Hartman
2012-10-10 22:52 ` [ 008/122] intel-iommu: Default to non-coherent for domains unattached to iommus Greg Kroah-Hartman
2012-10-10 22:52 ` [ 009/122] ARM: 7548/1: include linux/sched.h in syscall.h Greg Kroah-Hartman
2012-10-10 22:52 ` [ 010/122] em28xx: Make all em28xx extensions to be initialized asynchronously Greg Kroah-Hartman
2012-10-10 22:52 ` [ 011/122] media: rc: ite-cir: Initialise ite_dev::rdev earlier Greg Kroah-Hartman
2012-10-10 22:52 ` [ 012/122] media: gspca_pac7302: add support for device 1ae7:2001 Speedlink Snappy Microphone SL-6825-SBK Greg Kroah-Hartman
2012-10-10 22:52 ` [ 013/122] media: gspca_pac7302: make red balance and blue balance controls work again Greg Kroah-Hartman
2012-10-10 22:53 ` [ 014/122] ACPI: run _OSC after ACPI_FULL_INITIALIZATION Greg Kroah-Hartman
2012-10-10 22:53 ` [ 016/122] mfd: 88pm860x: Move _IO resources out of ioport_ioresource Greg Kroah-Hartman
2012-10-10 22:53 ` [ 017/122] lib/gcd.c: prevent possible div by 0 Greg Kroah-Hartman
2012-10-10 22:53 ` [ 018/122] kernel/sys.c: call disable_nonboot_cpus() in kernel_restart() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 019/122] drivers/scsi/atp870u.c: fix bad use of udelay Greg Kroah-Hartman
2012-10-10 22:53 ` [ 020/122] drivers/dma/dmaengine.c: lower the priority of failed to get dma channel message Greg Kroah-Hartman
2012-10-10 22:53 ` [ 021/122] lguest: fix occasional crash in example launcher Greg Kroah-Hartman
2012-10-10 22:53 ` [ 022/122] powerpc: Fix VMX fix for memcpy case Greg Kroah-Hartman
2012-10-10 22:53 ` [ 023/122] powerpc/eeh: Fix crash on converting OF node to edev Greg Kroah-Hartman
2012-10-10 22:53 ` [ 024/122] ixgbe: fix PTP ethtool timestamping function Greg Kroah-Hartman
2012-10-10 22:53 ` [ 025/122] drxk: allow loading firmware synchrousnously Greg Kroah-Hartman
2012-10-10 22:53 ` [ 026/122] rapidio/rionet: fix multicast packet transmit logic Greg Kroah-Hartman
2012-10-10 22:53 ` [ 027/122] PM / Sleep: use resume event when call dpm_resume_early Greg Kroah-Hartman
2012-10-10 22:53 ` [ 028/122] workqueue: add missing smp_wmb() in process_one_work() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 029/122] workqueue: fix possible stall on try_to_grab_pending() of a delayed work item Greg Kroah-Hartman
2012-10-10 22:53 ` [ 030/122] jbd2: dont write superblock when if its empty Greg Kroah-Hartman
2012-10-10 22:53 ` [ 031/122] localmodconfig: Fix localyesconfig to set to y not m Greg Kroah-Hartman
2012-10-10 22:53 ` [ 032/122] ipv4: add a fib_type to fib_info Greg Kroah-Hartman
2012-10-10 22:53 ` [ 033/122] 8021q: fix mac_len recomputation in vlan_untag() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 034/122] ipv6: release reference of ip6_null_entrys dst entry in __ip6_del_rt Greg Kroah-Hartman
2012-10-10 22:53 ` [ 035/122] net: ethernet: davinci_cpdma: decrease the desc count when cleaning up the remaining packets Greg Kroah-Hartman
2012-10-10 22:53 ` [ 036/122] ipv6: del unreachable route when an addr is deleted on lo Greg Kroah-Hartman
2012-10-10 22:53 ` [ 037/122] drm/savage: re-add busmaster enable, regression fix Greg Kroah-Hartman
2012-10-10 22:53 ` [ 038/122] SCSI: zfcp: Adapt to new FC_PORTSPEED semantics Greg Kroah-Hartman
2012-10-10 22:53 ` [ 039/122] SCSI: zfcp: Make trace record tags unique Greg Kroah-Hartman
2012-10-10 22:53 ` [ 040/122] SCSI: zfcp: Bounds checking for deferred error trace Greg Kroah-Hartman
2012-10-10 22:53 ` [ 041/122] SCSI: zfcp: Do not wakeup while suspended Greg Kroah-Hartman
2012-10-10 22:53 ` [ 042/122] SCSI: zfcp: remove invalid reference to list iterator variable Greg Kroah-Hartman
2012-10-10 22:53 ` [ 043/122] SCSI: zfcp: restore refcount check on port_remove Greg Kroah-Hartman
2012-10-10 22:53 ` [ 044/122] SCSI: zfcp: only access zfcp_scsi_dev for valid scsi_device Greg Kroah-Hartman
2012-10-10 22:53 ` [ 045/122] PCI: Check P2P bridge for invalid secondary/subordinate range Greg Kroah-Hartman
2012-10-10 22:53 ` [ 046/122] ext4: ignore last group w/o enough space when resizing instead of BUGing Greg Kroah-Hartman
2012-10-10 22:53 ` [ 047/122] ext4: dont copy non-existent gdt blocks when resizing Greg Kroah-Hartman
2012-10-10 22:53 ` [ 048/122] ext4: avoid duplicate writes of the backup bg descriptor blocks Greg Kroah-Hartman
2012-10-10 22:53 ` [ 049/122] ext4: fix potential deadlock in ext4_nonda_switch() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 050/122] ext4: fix crash when accessing /proc/mounts concurrently Greg Kroah-Hartman
2012-10-10 22:53 ` [ 051/122] ext4: move_extent code cleanup Greg Kroah-Hartman
2012-10-10 22:53 ` [ 052/122] ext4: online defrag is not supported for journaled files Greg Kroah-Hartman
2012-10-10 22:53 ` [ 053/122] ext4: always set i_op in ext4_mknod() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 054/122] ext4: fix fdatasync() for files with only i_size changes Greg Kroah-Hartman
2012-10-10 22:53 ` [ 055/122] ext4: fix mtime update in nodelalloc mode Greg Kroah-Hartman
2012-10-10 22:53 ` [ 056/122] ASoC: wm_hubs: Ensure volume updates are handled during class W startup Greg Kroah-Hartman
2012-10-10 22:53 ` [ 057/122] ASoC: wm5110: Adding missing volume update bits Greg Kroah-Hartman
2012-10-10 22:53 ` [ 058/122] ASoC: wm9712: Fix name of Capture Switch Greg Kroah-Hartman
2012-10-10 22:53 ` [ 059/122] kpageflags: fix wrong KPF_THP on non-huge compound pages Greg Kroah-Hartman
2012-10-10 22:53 ` [ 060/122] hugetlb: do not use vma_hugecache_offset() for vma_prio_tree_foreach Greg Kroah-Hartman
2012-10-10 22:53 ` [ 061/122] mm: fix invalidate_complete_page2() lock ordering Greg Kroah-Hartman
2012-10-10 22:53 ` [ 062/122] mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP Greg Kroah-Hartman
2012-10-10 22:53 ` [ 063/122] MIPS: ath79: use correct fractional dividers for {CPU,DDR}_PLL on AR934x Greg Kroah-Hartman
2012-10-10 22:53 ` [ 064/122] drm/i915: prevent possible pin leak on error path Greg Kroah-Hartman
2012-10-10 22:53 ` [ 065/122] drm/i915: make sure we write all the DIP data bytes Greg Kroah-Hartman
2012-10-10 22:53 ` [ 066/122] ALSA: hda - Add inverted internal mic quirk for Lenovo IdeaPad U310 Greg Kroah-Hartman
2012-10-10 22:53 ` [ 067/122] ALSA: aloop - add locking to timer access Greg Kroah-Hartman
2012-10-10 22:53 ` [ 068/122] ALSA: hda/via - dont report presence on HPs with no presence support Greg Kroah-Hartman
2012-10-10 22:53 ` [ 069/122] ALSA: hda/realtek - Fix detection of ALC271X codec Greg Kroah-Hartman
2012-10-10 22:53 ` [ 070/122] ALSA: hda - limit internal mic boost for Asus X202E Greg Kroah-Hartman
2012-10-10 22:53 ` [ 071/122] ALSA: usb - disable broken hw volume for Tenx TP6911 Greg Kroah-Hartman
2012-10-10 22:53 ` [ 072/122] ALSA: snd-usb: Add quirks for Playback Designs devices Greg Kroah-Hartman
2012-10-10 22:53 ` [ 073/122] ALSA: USB: Support for (original) Xbox Communicator Greg Kroah-Hartman
2012-10-10 22:54 ` [ 074/122] ALSA: hda - Add another pci id for Haswell board Greg Kroah-Hartman
2012-10-10 22:54 ` [ 075/122] ALSA: hda - use LPIB for delay estimation Greg Kroah-Hartman
2012-10-10 22:54 ` [ 076/122] drm/nvc0/fence: restore pre-suspend fence buffer context on resume Greg Kroah-Hartman
2012-10-10 22:54 ` [ 077/122] drm: Destroy the planes prior to destroying the associated CRTC Greg Kroah-Hartman
2012-10-10 22:54 ` [ 078/122] drm/radeon: only adjust default clocks on NI GPUs Greg Kroah-Hartman
2012-10-10 22:54 ` [ 079/122] drm/radeon/kms: allow STRMOUT_BASE_UPDATE on RS780 and RS880 Greg Kroah-Hartman
2012-10-10 22:54 ` [ 080/122] drm/radeon: allow MIP_ADDRESS=0 for MSAA textures on Evergreen Greg Kroah-Hartman
2012-10-10 22:54 ` [ 081/122] drm/radeon: Add MSI quirk for gateway RS690 Greg Kroah-Hartman
2012-10-10 22:54 ` [ 082/122] drm/radeon: force MSIs on RS690 asics Greg Kroah-Hartman
2012-10-10 22:54 ` [ 083/122] HID: hidraw: dont deallocate memory when it is in use Greg Kroah-Hartman
2012-10-10 22:54 ` [ 084/122] drm/i915: Flush the pending flips on the CRTC before modification Greg Kroah-Hartman
2012-10-10 22:54 ` [ 085/122] drm/i915: call drm_handle_vblank before finish_page_flip Greg Kroah-Hartman
2012-10-10 22:54 ` [ 086/122] drm/i915: Fix GT_MODE default value Greg Kroah-Hartman
2012-10-10 22:54 ` [ 087/122] ia64: Add missing RCU idle APIs on idle loop Greg Kroah-Hartman
2012-10-10 22:54 ` [ 088/122] h8300: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 089/122] parisc: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 090/122] xtensa: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 091/122] frv: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 092/122] mn10300: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 093/122] m68k: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 094/122] alpha: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 095/122] cris: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 096/122] m32r: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 097/122] score: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 098/122] rcu: Fix day-one dyntick-idle stall-warning bug Greg Kroah-Hartman
2012-10-10 22:54 ` [ 099/122] revert "mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages" Greg Kroah-Hartman
2012-10-10 22:54 ` [ 100/122] mempolicy: remove mempolicy sharing Greg Kroah-Hartman
2012-10-10 22:54 ` [ 101/122] mempolicy: fix a race in shared_policy_replace() Greg Kroah-Hartman
2012-10-10 22:54 ` Greg Kroah-Hartman [this message]
2012-10-10 22:54 ` [ 103/122] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma() Greg Kroah-Hartman
2012-10-10 22:54 ` [ 104/122] efi: Build EFI stub with EFI-appropriate options Greg Kroah-Hartman
2012-10-10 22:54 ` [ 105/122] efi: initialize efi.runtime_version to make query_variable_info/update_capsule workable Greg Kroah-Hartman
2012-10-10 22:54 ` [ 106/122] em28xx: regression fix: use DRX-K sync firmware requests on em28xx Greg Kroah-Hartman
2012-10-10 22:54 ` [ 107/122] sched: Fix load avg vs. cpu-hotplug Greg Kroah-Hartman
2012-10-10 22:54 ` [ 108/122] asix: Adds support for Lenovo 10/100 USB dongle Greg Kroah-Hartman
2012-10-10 22:54 ` [ 109/122] ALSA: hda - Fix hang caused by race during suspend Greg Kroah-Hartman
2012-10-10 22:54 ` [ 110/122] mtd: mtdpart: break it as soon as we parse out the partitions Greg Kroah-Hartman
2012-10-10 22:54 ` [ 111/122] mtd: autcpu12-nvram: Fix compile breakage Greg Kroah-Hartman
2012-10-10 22:54 ` [ 112/122] mtd: nandsim: bugfix: fail if overridesize is too big Greg Kroah-Hartman
2012-10-10 22:54 ` [ 113/122] mtd: nand: Use the mirror BBT descriptor when reading its version Greg Kroah-Hartman
2012-10-10 22:54 ` [ 114/122] mtd: omap2: fix omap_nand_remove segfault Greg Kroah-Hartman
2012-10-10 22:54 ` [ 115/122] mtd: omap2: fix module loading Greg Kroah-Hartman
2012-10-10 22:54 ` [ 116/122] mmc: omap_hsmmc: Pass on the suspend failure to the PM core Greg Kroah-Hartman
2012-10-10 22:54 ` [ 117/122] mmc: slot-gpio: Fix missing assignment to ctx->ro_gpio Greg Kroah-Hartman
2012-10-10 22:54 ` [ 118/122] mmc: sh-mmcif: avoid oops on spurious interrupts Greg Kroah-Hartman
2012-10-10 22:54 ` [ 119/122] JFFS2: fix unmount regression Greg Kroah-Hartman
2012-10-10 22:54 ` [ 120/122] JFFS2: dont fail on bitflips in OOB Greg Kroah-Hartman
2012-10-10 22:54 ` [ 121/122] cifs: reinstate the forcegid option Greg Kroah-Hartman
2012-10-10 22:54 ` [ 122/122] Convert properly UTF-8 to UTF-16 Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121010225356.405642481@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cl@linux.com \
    --cc=jwboyer@gmail.com \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mgorman@suse.de \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox