Revision 6d2aec9e123bb9c49cb5c7fc654f25f81e688e8c authored by Eric Dumazet on 18 October 2021, 22:15:49 UTC, committed by Linus Torvalds on 19 October 2021, 06:22:03 UTC
syzbot reported access to unitialized memory in mbind() [1] Issue came with commit bda420b98505 ("numa balancing: migrate on fault among multiple bound nodes") This commit added a new bit in MPOL_MODE_FLAGS, but only checked valid combination (MPOL_F_NUMA_BALANCING can only be used with MPOL_BIND) in do_set_mempolicy() This patch moves the check in sanitize_mpol_flags() so that it is also used by mbind() [1] BUG: KMSAN: uninit-value in __mpol_equal+0x567/0x590 mm/mempolicy.c:2260 __mpol_equal+0x567/0x590 mm/mempolicy.c:2260 mpol_equal include/linux/mempolicy.h:105 [inline] vma_merge+0x4a1/0x1e60 mm/mmap.c:1190 mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811 do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333 kernel_mbind mm/mempolicy.c:1483 [inline] __do_sys_mbind mm/mempolicy.c:1490 [inline] __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486 __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_alloc_node mm/slub.c:3221 [inline] slab_alloc mm/slub.c:3230 [inline] kmem_cache_alloc+0x751/0xff0 mm/slub.c:3235 mpol_new mm/mempolicy.c:293 [inline] do_mbind+0x912/0x15f0 mm/mempolicy.c:1289 kernel_mbind mm/mempolicy.c:1483 [inline] __do_sys_mbind mm/mempolicy.c:1490 [inline] __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486 __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae ===================================================== Kernel panic - not syncing: panic_on_kmsan set ... CPU: 0 PID: 15049 Comm: syz-executor.0 Tainted: G B 5.15.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106 dump_stack+0x25/0x28 lib/dump_stack.c:113 panic+0x44f/0xdeb kernel/panic.c:232 kmsan_report+0x2ee/0x300 mm/kmsan/report.c:186 __msan_warning+0xd7/0x150 mm/kmsan/instrumentation.c:208 __mpol_equal+0x567/0x590 mm/mempolicy.c:2260 mpol_equal include/linux/mempolicy.h:105 [inline] vma_merge+0x4a1/0x1e60 mm/mmap.c:1190 mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811 do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333 kernel_mbind mm/mempolicy.c:1483 [inline] __do_sys_mbind mm/mempolicy.c:1490 [inline] __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486 __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Link: https://lkml.kernel.org/r/20211001215630.810592-1-eric.dumazet@gmail.com Fixes: bda420b98505 ("numa balancing: migrate on fault among multiple bound nodes") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Acked-by: Mel Gorman <mgorman@suse.de> Cc: "Huang, Ying" <ying.huang@intel.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 5173ed7
File | Mode | Size |
---|---|---|
asymmetric_keys | ||
async_tx | ||
842.c | -rw-r--r-- | 3.7 KB |
Kconfig | -rw-r--r-- | 55.6 KB |
Makefile | -rw-r--r-- | 7.6 KB |
acompress.c | -rw-r--r-- | 4.7 KB |
adiantum.c | -rw-r--r-- | 19.5 KB |
aead.c | -rw-r--r-- | 7.2 KB |
aegis.h | -rw-r--r-- | 2.5 KB |
aegis128-core.c | -rw-r--r-- | 15.6 KB |
aegis128-neon-inner.c | -rw-r--r-- | 8.4 KB |
aegis128-neon.c | -rw-r--r-- | 2.0 KB |
aes_generic.c | -rw-r--r-- | 57.6 KB |
aes_ti.c | -rw-r--r-- | 2.0 KB |
af_alg.c | -rw-r--r-- | 26.8 KB |
ahash.c | -rw-r--r-- | 15.7 KB |
akcipher.c | -rw-r--r-- | 4.0 KB |
algapi.c | -rw-r--r-- | 29.2 KB |
algboss.c | -rw-r--r-- | 5.4 KB |
algif_aead.c | -rw-r--r-- | 15.6 KB |
algif_hash.c | -rw-r--r-- | 9.5 KB |
algif_rng.c | -rw-r--r-- | 8.4 KB |
algif_skcipher.c | -rw-r--r-- | 9.6 KB |
ansi_cprng.c | -rw-r--r-- | 10.8 KB |
anubis.c | -rw-r--r-- | 27.8 KB |
api.c | -rw-r--r-- | 13.8 KB |
arc4.c | -rw-r--r-- | 2.1 KB |
authenc.c | -rw-r--r-- | 13.1 KB |
authencesn.c | -rw-r--r-- | 14.2 KB |
blake2b_generic.c | -rw-r--r-- | 5.9 KB |
blake2s_generic.c | -rw-r--r-- | 2.3 KB |
blowfish_common.c | -rw-r--r-- | 15.5 KB |
blowfish_generic.c | -rw-r--r-- | 3.1 KB |
camellia_generic.c | -rw-r--r-- | 34.0 KB |
cast5_generic.c | -rw-r--r-- | 20.4 KB |
cast6_generic.c | -rw-r--r-- | 9.1 KB |
cast_common.c | -rw-r--r-- | 12.9 KB |
cbc.c | -rw-r--r-- | 5.2 KB |
ccm.c | -rw-r--r-- | 23.5 KB |
cfb.c | -rw-r--r-- | 6.2 KB |
chacha20poly1305.c | -rw-r--r-- | 17.7 KB |
chacha_generic.c | -rw-r--r-- | 3.9 KB |
cipher.c | -rw-r--r-- | 2.6 KB |
cmac.c | -rw-r--r-- | 7.6 KB |
compress.c | -rw-r--r-- | 921 bytes |
crc32_generic.c | -rw-r--r-- | 2.8 KB |
crc32c_generic.c | -rw-r--r-- | 4.1 KB |
crct10dif_common.c | -rw-r--r-- | 3.6 KB |
crct10dif_generic.c | -rw-r--r-- | 3.1 KB |
cryptd.c | -rw-r--r-- | 28.6 KB |
crypto_engine.c | -rw-r--r-- | 15.3 KB |
crypto_null.c | -rw-r--r-- | 5.3 KB |
crypto_user_base.c | -rw-r--r-- | 12.0 KB |
crypto_user_stat.c | -rw-r--r-- | 9.6 KB |
ctr.c | -rw-r--r-- | 9.6 KB |
cts.c | -rw-r--r-- | 11.5 KB |
curve25519-generic.c | -rw-r--r-- | 2.2 KB |
deflate.c | -rw-r--r-- | 7.7 KB |
des_generic.c | -rw-r--r-- | 3.3 KB |
dh.c | -rw-r--r-- | 5.4 KB |
dh_helper.c | -rw-r--r-- | 3.4 KB |
drbg.c | -rw-r--r-- | 59.8 KB |
ecb.c | -rw-r--r-- | 2.4 KB |
ecc.c | -rw-r--r-- | 42.0 KB |
ecc.h | -rw-r--r-- | 7.8 KB |
ecc_curve_defs.h | -rw-r--r-- | 3.7 KB |
ecdh.c | -rw-r--r-- | 5.7 KB |
ecdh_helper.c | -rw-r--r-- | 2.0 KB |
ecdsa.c | -rw-r--r-- | 9.2 KB |
ecdsasignature.asn1 | -rw-r--r-- | 111 bytes |
echainiv.c | -rw-r--r-- | 4.1 KB |
ecrdsa.c | -rw-r--r-- | 8.4 KB |
ecrdsa_defs.h | -rw-r--r-- | 7.2 KB |
ecrdsa_params.asn1 | -rw-r--r-- | 142 bytes |
ecrdsa_pub_key.asn1 | -rw-r--r-- | 57 bytes |
essiv.c | -rw-r--r-- | 17.9 KB |
fcrypt.c | -rw-r--r-- | 18.0 KB |
fips.c | -rw-r--r-- | 1.7 KB |
gcm.c | -rw-r--r-- | 30.0 KB |
geniv.c | -rw-r--r-- | 3.8 KB |
gf128mul.c | -rw-r--r-- | 12.5 KB |
ghash-generic.c | -rw-r--r-- | 4.8 KB |
hash_info.c | -rw-r--r-- | 1.9 KB |
hmac.c | -rw-r--r-- | 6.4 KB |
internal.h | -rw-r--r-- | 4.0 KB |
jitterentropy-kcapi.c | -rw-r--r-- | 6.2 KB |
jitterentropy.c | -rw-r--r-- | 25.2 KB |
jitterentropy.h | -rw-r--r-- | 643 bytes |
keywrap.c | -rw-r--r-- | 9.5 KB |
khazad.c | -rw-r--r-- | 51.8 KB |
kpp.c | -rw-r--r-- | 2.7 KB |
lrw.c | -rw-r--r-- | 10.6 KB |
lz4.c | -rw-r--r-- | 3.3 KB |
lz4hc.c | -rw-r--r-- | 3.4 KB |
lzo-rle.c | -rw-r--r-- | 3.4 KB |
lzo.c | -rw-r--r-- | 3.3 KB |
md4.c | -rw-r--r-- | 5.9 KB |
md5.c | -rw-r--r-- | 7.4 KB |
memneq.c | -rw-r--r-- | 6.1 KB |
michael_mic.c | -rw-r--r-- | 3.4 KB |
nhpoly1305.c | -rw-r--r-- | 7.8 KB |
ofb.c | -rw-r--r-- | 2.5 KB |
pcbc.c | -rw-r--r-- | 4.7 KB |
pcrypt.c | -rw-r--r-- | 9.2 KB |
poly1305_generic.c | -rw-r--r-- | 3.7 KB |
proc.c | -rw-r--r-- | 2.5 KB |
ripemd.h | -rw-r--r-- | 655 bytes |
rmd160.c | -rw-r--r-- | 12.4 KB |
rng.c | -rw-r--r-- | 4.7 KB |
rsa-pkcs1pad.c | -rw-r--r-- | 17.3 KB |
rsa.c | -rw-r--r-- | 5.3 KB |
rsa_helper.c | -rw-r--r-- | 4.0 KB |
rsaprivkey.asn1 | -rw-r--r-- | 316 bytes |
rsapubkey.asn1 | -rw-r--r-- | 82 bytes |
scatterwalk.c | -rw-r--r-- | 2.0 KB |
scompress.c | -rw-r--r-- | 6.8 KB |
seed.c | -rw-r--r-- | 17.2 KB |
seqiv.c | -rw-r--r-- | 4.5 KB |
serpent_generic.c | -rw-r--r-- | 19.6 KB |
sha1_generic.c | -rw-r--r-- | 2.3 KB |
sha256_generic.c | -rw-r--r-- | 3.3 KB |
sha3_generic.c | -rw-r--r-- | 8.0 KB |
sha512_generic.c | -rw-r--r-- | 7.7 KB |
shash.c | -rw-r--r-- | 15.5 KB |
simd.c | -rw-r--r-- | 13.5 KB |
skcipher.c | -rw-r--r-- | 24.7 KB |
sm2.c | -rw-r--r-- | 9.8 KB |
sm2signature.asn1 | -rw-r--r-- | 113 bytes |
sm3_generic.c | -rw-r--r-- | 4.1 KB |
sm4_generic.c | -rw-r--r-- | 2.1 KB |
streebog_generic.c | -rw-r--r-- | 57.6 KB |
tcrypt.c | -rw-r--r-- | 79.5 KB |
tcrypt.h | -rw-r--r-- | 3.0 KB |
tea.c | -rw-r--r-- | 6.5 KB |
testmgr.c | -rw-r--r-- | 145.4 KB |
testmgr.h | -rw-r--r-- | 1.2 MB |
twofish_common.c | -rw-r--r-- | 37.1 KB |
twofish_generic.c | -rw-r--r-- | 5.5 KB |
vmac.c | -rw-r--r-- | 18.9 KB |
wp512.c | -rw-r--r-- | 59.7 KB |
xcbc.c | -rw-r--r-- | 6.7 KB |
xor.c | -rw-r--r-- | 3.8 KB |
xts.c | -rw-r--r-- | 11.8 KB |
xxhash_generic.c | -rw-r--r-- | 2.4 KB |
zstd.c | -rw-r--r-- | 5.0 KB |
Computing file changes ...