Revision - 6d2aec9 - mm/mempolicy: do not allow illegal MPOL_F_NUMA_BALANCING

Revision 6d2aec9e123bb9c49cb5c7fc654f25f81e688e8c authored by Eric Dumazet on 18 October 2021, 22:15:49 UTC, committed by Linus Torvalds on 19 October 2021, 06:22:03 UTC

mm/mempolicy: do not allow illegal MPOL_F_NUMA_BALANCING | MPOL_LOCAL in mbind()

syzbot reported access to unitialized memory in mbind() [1]

Issue came with commit bda420b98505 ("numa balancing: migrate on fault
among multiple bound nodes")

This commit added a new bit in MPOL_MODE_FLAGS, but only checked valid
combination (MPOL_F_NUMA_BALANCING can only be used with MPOL_BIND) in
do_set_mempolicy()

This patch moves the check in sanitize_mpol_flags() so that it is also
used by mbind()

  [1]
  BUG: KMSAN: uninit-value in __mpol_equal+0x567/0x590 mm/mempolicy.c:2260
   __mpol_equal+0x567/0x590 mm/mempolicy.c:2260
   mpol_equal include/linux/mempolicy.h:105 [inline]
   vma_merge+0x4a1/0x1e60 mm/mmap.c:1190
   mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811
   do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333
   kernel_mbind mm/mempolicy.c:1483 [inline]
   __do_sys_mbind mm/mempolicy.c:1490 [inline]
   __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486
   __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486
   do_syscall_x64 arch/x86/entry/common.c:51 [inline]
   do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
   entry_SYSCALL_64_after_hwframe+0x44/0xae

  Uninit was created at:
   slab_alloc_node mm/slub.c:3221 [inline]
   slab_alloc mm/slub.c:3230 [inline]
   kmem_cache_alloc+0x751/0xff0 mm/slub.c:3235
   mpol_new mm/mempolicy.c:293 [inline]
   do_mbind+0x912/0x15f0 mm/mempolicy.c:1289
   kernel_mbind mm/mempolicy.c:1483 [inline]
   __do_sys_mbind mm/mempolicy.c:1490 [inline]
   __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486
   __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486
   do_syscall_x64 arch/x86/entry/common.c:51 [inline]
   do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
   entry_SYSCALL_64_after_hwframe+0x44/0xae
  =====================================================
  Kernel panic - not syncing: panic_on_kmsan set ...
  CPU: 0 PID: 15049 Comm: syz-executor.0 Tainted: G    B             5.15.0-rc2-syzkaller #0
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:88 [inline]
   dump_stack_lvl+0x1ff/0x28e lib/dump_stack.c:106
   dump_stack+0x25/0x28 lib/dump_stack.c:113
   panic+0x44f/0xdeb kernel/panic.c:232
   kmsan_report+0x2ee/0x300 mm/kmsan/report.c:186
   __msan_warning+0xd7/0x150 mm/kmsan/instrumentation.c:208
   __mpol_equal+0x567/0x590 mm/mempolicy.c:2260
   mpol_equal include/linux/mempolicy.h:105 [inline]
   vma_merge+0x4a1/0x1e60 mm/mmap.c:1190
   mbind_range+0xcc8/0x1e80 mm/mempolicy.c:811
   do_mbind+0xf42/0x15f0 mm/mempolicy.c:1333
   kernel_mbind mm/mempolicy.c:1483 [inline]
   __do_sys_mbind mm/mempolicy.c:1490 [inline]
   __se_sys_mbind+0x437/0xb80 mm/mempolicy.c:1486
   __x64_sys_mbind+0x19d/0x200 mm/mempolicy.c:1486
   do_syscall_x64 arch/x86/entry/common.c:51 [inline]
   do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Link: https://lkml.kernel.org/r/20211001215630.810592-1-eric.dumazet@gmail.com
Fixes: bda420b98505 ("numa balancing: migrate on fault among multiple bound nodes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 parent 5173ed7

Files
Changes

Permalinks

File	Mode	Size
asymmetric_keys
async_tx
842.c	-rw-r--r--	3.7 KB
Kconfig	-rw-r--r--	55.6 KB
Makefile	-rw-r--r--	7.6 KB
acompress.c	-rw-r--r--	4.7 KB
adiantum.c	-rw-r--r--	19.5 KB
aead.c	-rw-r--r--	7.2 KB
aegis.h	-rw-r--r--	2.5 KB
aegis128-core.c	-rw-r--r--	15.6 KB
aegis128-neon-inner.c	-rw-r--r--	8.4 KB
aegis128-neon.c	-rw-r--r--	2.0 KB
aes_generic.c	-rw-r--r--	57.6 KB
aes_ti.c	-rw-r--r--	2.0 KB
af_alg.c	-rw-r--r--	26.8 KB
ahash.c	-rw-r--r--	15.7 KB
akcipher.c	-rw-r--r--	4.0 KB
algapi.c	-rw-r--r--	29.2 KB
algboss.c	-rw-r--r--	5.4 KB
algif_aead.c	-rw-r--r--	15.6 KB
algif_hash.c	-rw-r--r--	9.5 KB
algif_rng.c	-rw-r--r--	8.4 KB
algif_skcipher.c	-rw-r--r--	9.6 KB
ansi_cprng.c	-rw-r--r--	10.8 KB
anubis.c	-rw-r--r--	27.8 KB
api.c	-rw-r--r--	13.8 KB
arc4.c	-rw-r--r--	2.1 KB
authenc.c	-rw-r--r--	13.1 KB
authencesn.c	-rw-r--r--	14.2 KB
blake2b_generic.c	-rw-r--r--	5.9 KB
blake2s_generic.c	-rw-r--r--	2.3 KB
blowfish_common.c	-rw-r--r--	15.5 KB
blowfish_generic.c	-rw-r--r--	3.1 KB
camellia_generic.c	-rw-r--r--	34.0 KB
cast5_generic.c	-rw-r--r--	20.4 KB
cast6_generic.c	-rw-r--r--	9.1 KB
cast_common.c	-rw-r--r--	12.9 KB
cbc.c	-rw-r--r--	5.2 KB
ccm.c	-rw-r--r--	23.5 KB
cfb.c	-rw-r--r--	6.2 KB
chacha20poly1305.c	-rw-r--r--	17.7 KB
chacha_generic.c	-rw-r--r--	3.9 KB
cipher.c	-rw-r--r--	2.6 KB
cmac.c	-rw-r--r--	7.6 KB
compress.c	-rw-r--r--	921 bytes
crc32_generic.c	-rw-r--r--	2.8 KB
crc32c_generic.c	-rw-r--r--	4.1 KB
crct10dif_common.c	-rw-r--r--	3.6 KB
crct10dif_generic.c	-rw-r--r--	3.1 KB
cryptd.c	-rw-r--r--	28.6 KB
crypto_engine.c	-rw-r--r--	15.3 KB
crypto_null.c	-rw-r--r--	5.3 KB
crypto_user_base.c	-rw-r--r--	12.0 KB
crypto_user_stat.c	-rw-r--r--	9.6 KB
ctr.c	-rw-r--r--	9.6 KB
cts.c	-rw-r--r--	11.5 KB
curve25519-generic.c	-rw-r--r--	2.2 KB
deflate.c	-rw-r--r--	7.7 KB
des_generic.c	-rw-r--r--	3.3 KB
dh.c	-rw-r--r--	5.4 KB
dh_helper.c	-rw-r--r--	3.4 KB
drbg.c	-rw-r--r--	59.8 KB
ecb.c	-rw-r--r--	2.4 KB
ecc.c	-rw-r--r--	42.0 KB
ecc.h	-rw-r--r--	7.8 KB
ecc_curve_defs.h	-rw-r--r--	3.7 KB
ecdh.c	-rw-r--r--	5.7 KB
ecdh_helper.c	-rw-r--r--	2.0 KB
ecdsa.c	-rw-r--r--	9.2 KB
ecdsasignature.asn1	-rw-r--r--	111 bytes
echainiv.c	-rw-r--r--	4.1 KB
ecrdsa.c	-rw-r--r--	8.4 KB
ecrdsa_defs.h	-rw-r--r--	7.2 KB
ecrdsa_params.asn1	-rw-r--r--	142 bytes
ecrdsa_pub_key.asn1	-rw-r--r--	57 bytes
essiv.c	-rw-r--r--	17.9 KB
fcrypt.c	-rw-r--r--	18.0 KB
fips.c	-rw-r--r--	1.7 KB
gcm.c	-rw-r--r--	30.0 KB
geniv.c	-rw-r--r--	3.8 KB
gf128mul.c	-rw-r--r--	12.5 KB
ghash-generic.c	-rw-r--r--	4.8 KB
hash_info.c	-rw-r--r--	1.9 KB
hmac.c	-rw-r--r--	6.4 KB
internal.h	-rw-r--r--	4.0 KB
jitterentropy-kcapi.c	-rw-r--r--	6.2 KB
jitterentropy.c	-rw-r--r--	25.2 KB
jitterentropy.h	-rw-r--r--	643 bytes
keywrap.c	-rw-r--r--	9.5 KB
khazad.c	-rw-r--r--	51.8 KB
kpp.c	-rw-r--r--	2.7 KB
lrw.c	-rw-r--r--	10.6 KB
lz4.c	-rw-r--r--	3.3 KB
lz4hc.c	-rw-r--r--	3.4 KB
lzo-rle.c	-rw-r--r--	3.4 KB
lzo.c	-rw-r--r--	3.3 KB
md4.c	-rw-r--r--	5.9 KB
md5.c	-rw-r--r--	7.4 KB
memneq.c	-rw-r--r--	6.1 KB
michael_mic.c	-rw-r--r--	3.4 KB
nhpoly1305.c	-rw-r--r--	7.8 KB
ofb.c	-rw-r--r--	2.5 KB
pcbc.c	-rw-r--r--	4.7 KB
pcrypt.c	-rw-r--r--	9.2 KB
poly1305_generic.c	-rw-r--r--	3.7 KB
proc.c	-rw-r--r--	2.5 KB
ripemd.h	-rw-r--r--	655 bytes
rmd160.c	-rw-r--r--	12.4 KB
rng.c	-rw-r--r--	4.7 KB
rsa-pkcs1pad.c	-rw-r--r--	17.3 KB
rsa.c	-rw-r--r--	5.3 KB
rsa_helper.c	-rw-r--r--	4.0 KB
rsaprivkey.asn1	-rw-r--r--	316 bytes
rsapubkey.asn1	-rw-r--r--	82 bytes
scatterwalk.c	-rw-r--r--	2.0 KB
scompress.c	-rw-r--r--	6.8 KB
seed.c	-rw-r--r--	17.2 KB
seqiv.c	-rw-r--r--	4.5 KB
serpent_generic.c	-rw-r--r--	19.6 KB
sha1_generic.c	-rw-r--r--	2.3 KB
sha256_generic.c	-rw-r--r--	3.3 KB
sha3_generic.c	-rw-r--r--	8.0 KB
sha512_generic.c	-rw-r--r--	7.7 KB
shash.c	-rw-r--r--	15.5 KB
simd.c	-rw-r--r--	13.5 KB
skcipher.c	-rw-r--r--	24.7 KB
sm2.c	-rw-r--r--	9.8 KB
sm2signature.asn1	-rw-r--r--	113 bytes
sm3_generic.c	-rw-r--r--	4.1 KB
sm4_generic.c	-rw-r--r--	2.1 KB
streebog_generic.c	-rw-r--r--	57.6 KB
tcrypt.c	-rw-r--r--	79.5 KB
tcrypt.h	-rw-r--r--	3.0 KB
tea.c	-rw-r--r--	6.5 KB
testmgr.c	-rw-r--r--	145.4 KB
testmgr.h	-rw-r--r--	1.2 MB
twofish_common.c	-rw-r--r--	37.1 KB
twofish_generic.c	-rw-r--r--	5.5 KB
vmac.c	-rw-r--r--	18.9 KB
wp512.c	-rw-r--r--	59.7 KB
xcbc.c	-rw-r--r--	6.7 KB
xor.c	-rw-r--r--	3.8 KB
xts.c	-rw-r--r--	11.8 KB
xxhash_generic.c	-rw-r--r--	2.4 KB
zstd.c	-rw-r--r--	5.0 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...