From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Wang Cheng <wanngchenng@gmail.com>,
syzbot+217f792c92599518a2ab@syzkaller.appspotmail.com,
David Rientjes <rientjes@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 5.4 56/87] mm/mempolicy: fix uninit-value in mpol_rebind_policy()
Date: Wed, 27 Jul 2022 18:10:49 +0200 [thread overview]
Message-ID: <20220727161011.332184136@linuxfoundation.org> (raw)
In-Reply-To: <20220727161008.993711844@linuxfoundation.org>
From: Wang Cheng <wanngchenng@gmail.com>
commit 018160ad314d75b1409129b2247b614a9f35894c upstream.
mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when
pol->mode is MPOL_LOCAL. Check pol->mode before access
pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).
BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]
BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
mpol_rebind_policy mm/mempolicy.c:352 [inline]
mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]
cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278
cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515
cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]
cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804
__cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520
cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539
cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852
kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0x1318/0x2030 fs/read_write.c:590
ksys_write+0x28b/0x510 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0xdb/0x120 fs/read_write.c:652
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
slab_alloc mm/slub.c:3259 [inline]
kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264
mpol_new mm/mempolicy.c:293 [inline]
do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853
kernel_set_mempolicy mm/mempolicy.c:1504 [inline]
__do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]
__se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507
__x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
KMSAN: uninit-value in mpol_rebind_task (2)
https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc
This patch seems to fix below bug too.
KMSAN: uninit-value in mpol_rebind_mm (2)
https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b
The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().
When syzkaller reproducer runs to the beginning of mpol_new(),
mpol_new() mm/mempolicy.c
do_mbind() mm/mempolicy.c
kernel_mbind() mm/mempolicy.c
`mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`
is 0. Then
mode = MPOL_LOCAL;
...
policy->mode = mode;
policy->flags = flags;
will be executed. So in mpol_set_nodemask(),
mpol_set_nodemask() mm/mempolicy.c
do_mbind()
kernel_mbind()
pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,
which will be accessed in mpol_rebind_policy().
Link: https://lkml.kernel.org/r/20220512123428.fq3wofedp6oiotd4@ppc.localdomain
Signed-off-by: Wang Cheng <wanngchenng@gmail.com>
Reported-by: <syzbot+217f792c92599518a2ab@syzkaller.appspotmail.com>
Tested-by: <syzbot+217f792c92599518a2ab@syzkaller.appspotmail.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mempolicy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -348,7 +348,7 @@ static void mpol_rebind_preferred(struct
*/
static void mpol_rebind_policy(struct mempolicy *pol, const nodemask_t *newmask)
{
- if (!pol)
+ if (!pol || pol->mode == MPOL_LOCAL)
return;
if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
next prev parent reply other threads:[~2022-07-27 16:42 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-27 16:09 [PATCH 5.4 00/87] 5.4.208-rc1 review Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 01/87] pinctrl: stm32: fix optional IRQ support to gpios Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 02/87] riscv: add as-options for modules with assembly compontents Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 03/87] mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 04/87] lockdown: Fix kexec lockdown bypass with ima policy Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 05/87] xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE Greg Kroah-Hartman
2022-07-27 16:09 ` [PATCH 5.4 06/87] PCI: hv: Fix multi-MSI to allow more than one MSI vector Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 07/87] PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 08/87] PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 09/87] PCI: hv: Fix interrupt mapping for multi-MSI Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 10/87] serial: mvebu-uart: correctly report configured baudrate value Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 11/87] xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 12/87] power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 13/87] pinctrl: ralink: Check for null return of devm_kcalloc Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 14/87] perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 15/87] igc: Reinstate IGC_REMOVED logic and implement it properly Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 16/87] ip: Fix data-races around sysctl_ip_no_pmtu_disc Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 17/87] ip: Fix data-races around sysctl_ip_fwd_use_pmtu Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 18/87] ip: Fix data-races around sysctl_ip_nonlocal_bind Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 19/87] ip: Fix a data-race around sysctl_fwmark_reflect Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 20/87] tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 21/87] tcp: Fix data-races around sysctl_tcp_mtu_probing Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 22/87] tcp: Fix data-races around sysctl_tcp_base_mss Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 23/87] tcp: Fix data-races around sysctl_tcp_min_snd_mss Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 24/87] tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 25/87] tcp: Fix a data-race around sysctl_tcp_probe_threshold Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 26/87] tcp: Fix a data-race around sysctl_tcp_probe_interval Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 27/87] i2c: cadence: Change large transfer count reset logic to be unconditional Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 28/87] net: stmmac: fix dma queue left shift overflow issue Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 29/87] net/tls: Fix race in TLS device down flow Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 30/87] igmp: Fix data-races around sysctl_igmp_llm_reports Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 31/87] igmp: Fix a data-race around sysctl_igmp_max_memberships Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 32/87] tcp: Fix data-races around sysctl_tcp_syncookies Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 33/87] tcp: Fix data-races around sysctl_tcp_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 34/87] tcp: Fix data-races around some timeout sysctl knobs Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 35/87] tcp: Fix a data-race around sysctl_tcp_notsent_lowat Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 36/87] tcp: Fix a data-race around sysctl_tcp_tw_reuse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 37/87] tcp: Fix data-races around sysctl_max_syn_backlog Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 38/87] tcp: Fix data-races around sysctl_tcp_fastopen Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 39/87] iavf: Fix handling of dummy receive descriptors Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 40/87] i40e: Fix erroneous adapter reinitialization during recovery process Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 41/87] ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 42/87] gpio: pca953x: only use single read/write for No AI mode Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 43/87] be2net: Fix buffer overflow in be_get_module_eeprom Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 44/87] ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 45/87] udp: Fix a data-race around sysctl_udp_l3mdev_accept Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 46/87] tcp: Fix data-races around sysctl knobs related to SYN option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 47/87] tcp: Fix a data-race around sysctl_tcp_early_retrans Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 48/87] tcp: Fix data-races around sysctl_tcp_recovery Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 49/87] tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 50/87] tcp: Fix data-races around sysctl_tcp_slow_start_after_idle Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 51/87] tcp: Fix a data-race around sysctl_tcp_retrans_collapse Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 52/87] tcp: Fix a data-race around sysctl_tcp_stdurg Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 53/87] tcp: Fix a data-race around sysctl_tcp_rfc1337 Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 54/87] tcp: Fix data-races around sysctl_tcp_max_reordering Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 55/87] spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers Greg Kroah-Hartman
2022-07-27 16:10 ` Greg Kroah-Hartman [this message]
2022-07-27 16:10 ` [PATCH 5.4 57/87] bpf: Make sure mac_header was set before using it Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 58/87] dlm: fix pending remove if msg allocation fails Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 59/87] ima: remove the IMA_TEMPLATE Kconfig option Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 60/87] locking/refcount: Define constants for saturation and max refcount values Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 61/87] locking/refcount: Ensure integer operands are treated as signed Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 62/87] locking/refcount: Remove unused refcount_*_checked() variants Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 63/87] locking/refcount: Move the bulk of the REFCOUNT_FULL implementation into the <linux/refcount.h> header Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 64/87] locking/refcount: Improve performance of generic REFCOUNT_FULL code Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 65/87] locking/refcount: Move saturation warnings out of line Greg Kroah-Hartman
2022-07-27 16:10 ` [PATCH 5.4 66/87] locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 67/87] locking/refcount: Consolidate implementations of refcount_t Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 68/87] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 69/87] x86/uaccess: Implement macros for CMPXCHG on user addresses Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 70/87] mmap locking API: initial implementation as rwsem wrappers Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 71/87] x86/mce: Deduplicate exception handling Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 72/87] bitfield.h: Fix "type of reg too small for mask" test Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 73/87] ALSA: memalloc: Align buffer allocations in page size Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 74/87] Bluetooth: Add bt_skb_sendmsg helper Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 75/87] Bluetooth: Add bt_skb_sendmmsg helper Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 76/87] Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 77/87] Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 78/87] Bluetooth: Fix passing NULL to PTR_ERR Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 79/87] Bluetooth: SCO: Fix sco_send_frame returning skb->len Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 80/87] Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 81/87] tty: drivers/tty/, stop using tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 82/87] tty: the rest, " Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 83/87] tty: drop tty_schedule_flip() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 84/87] tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 85/87] tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 86/87] net: usb: ax88179_178a needs FLAG_SEND_ZLP Greg Kroah-Hartman
2022-07-27 16:11 ` [PATCH 5.4 87/87] x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() Greg Kroah-Hartman
2022-07-27 22:32 ` [PATCH 5.4 00/87] 5.4.208-rc1 review Florian Fainelli
2022-07-28 9:40 ` Naresh Kamboju
2022-07-28 14:41 ` Sudip Mukherjee (Codethink)
2022-07-28 14:45 ` Shuah Khan
2022-07-28 22:58 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220727161011.332184136@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rientjes@google.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+217f792c92599518a2ab@syzkaller.appspotmail.com \
--cc=vbabka@suse.cz \
--cc=wanngchenng@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox