Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2332455ybz; Thu, 23 Apr 2020 16:11:34 -0700 (PDT) X-Google-Smtp-Source: APiQypLorDv/8miBoDWm/K+xvINnsTs1/m11p2nu5tNckapds1omS0GpTl9usoEfNQ3+cG3vBaTW X-Received: by 2002:a05:6402:75a:: with SMTP id p26mr4824656edy.311.1587683493955; Thu, 23 Apr 2020 16:11:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587683493; cv=none; d=google.com; s=arc-20160816; b=PqRBJ14lSIrstnM27fmBEjuePtgqaFKCU6PP7Yjh9fEvuJiDIAHU0D8BDz9zQVFM85 R2laUeNu6UOJJJli57Cwkxr7kdtYHfGqqBuW8COEqN/n8Vh4luRZWxUnG33q3L5XVJyn EOVjQMI8I9N6cmi0hE7xx0HRLZ86W1jTCT+FQxSnhrqw90UkECO8TKjqiDOMFDTpVN48 CQDoqXJv7Olsp+Fo0YhgOL+OGCvmdplMxiawY8m7W9lvE3HO6oZdizS9cQ6TOT2HfT8k gs2/EkfXu9WvxhLUS1zbZHIAjQ41dUftMj5Z0zpVP81rt1dDMNNWzQr0ONRKzRsg4Swp 29lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=g1FX7Gj9ZlX4Ij3cjxn53V9Ln5QcmWj1DGQh2/q4KLU=; b=hnlOBcKLSQYuLVW+kUIu4oPXoha+byeMFgE8lh3ezV1SiHmqV5WeruRprGTDKJrvIW fzAMQzpy21RDVV29Q3LTlzkhxeNVcdhtODJmv2T9FFRfjmnJ3Zf/tgMdymxGmfVRmIYf AR0CjrM4QXk1MSb4idzYe1R7igkPhov3iSlqCI8afwfZuE8AmC7nGieLLY8CCMNbV/eY 9SQjLbIOFxDWb4dWT87DaCza2eUL3rYyczEuiAcoWDAjY1DziEwdo3exq60XqATLG9yk CtEcdmNwsSzRWqld4NLIK5kdMdoJ1F1E4jrSwYoSeYtQQYUKqszeCYkjvoOrsM/u/cel wvRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z18si1973505edx.121.2020.04.23.16.11.11; Thu, 23 Apr 2020 16:11:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728664AbgDWXIu (ORCPT + 99 others); Thu, 23 Apr 2020 19:08:50 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50990 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728667AbgDWXG7 (ORCPT ); Thu, 23 Apr 2020 19:06:59 -0400 Received: from [192.168.4.242] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRkvl-0004yI-2a; Fri, 24 Apr 2020 00:06:53 +0100 Received: from ben by deadeye with local (Exim 4.93) (envelope-from ) id 1jRkvg-00E72U-AT; Fri, 24 Apr 2020 00:06:48 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Denis Kirjanov , "Lee Schermerhorn" , "Linus Torvalds" , "Entropy Moe" <3ntr0py1337@gmail.com>, "Randy Dunlap" , syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com Date: Fri, 24 Apr 2020 00:07:33 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 226/245] mm: mempolicy: require at least one nodeid for MPOL_PREFERRED In-Reply-To: X-SA-Exim-Connect-IP: 192.168.4.242 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.83-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Randy Dunlap commit aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd upstream. Using an empty (malformed) nodelist that is not caught during mount option parsing leads to a stack-out-of-bounds access. The option string that was used was: "mpol=prefer:,". However, MPOL_PREFERRED requires a single node number, which is not being provided here. Add a check that 'nodes' is not empty after parsing for MPOL_PREFERRED's nodeid. Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") Reported-by: Entropy Moe <3ntr0py1337@gmail.com> Reported-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com Signed-off-by: Randy Dunlap Signed-off-by: Andrew Morton Tested-by: syzbot+b055b1a6b2b958707a21@syzkaller.appspotmail.com Cc: Lee Schermerhorn Link: http://lkml.kernel.org/r/89526377-7eb6-b662-e1d8-4430928abde9@infradead.org Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- mm/mempolicy.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -2711,7 +2711,9 @@ int mpol_parse_str(char *str, struct mem switch (mode) { case MPOL_PREFERRED: /* - * Insist on a nodelist of one node only + * Insist on a nodelist of one node only, although later + * we use first_node(nodes) to grab a single node, so here + * nodelist (or nodes) cannot be empty. */ if (nodelist) { char *rest = nodelist; @@ -2719,6 +2721,8 @@ int mpol_parse_str(char *str, struct mem rest++; if (*rest) goto out; + if (nodes_empty(nodes)) + goto out; } break; case MPOL_INTERLEAVE: