| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Yi9w7TCYbj+OLGXJ@dhcp22.suse.cz>
Date: Mon, 14 Mar 2022 17:44:29 +0100
From: Michal Hocko <mhocko@...e.com>
To: Miaohe Lin <linmiaohe@...wei.com>
Cc: akpm@...ux-foundation.org, kosaki.motohiro@...fujitsu.com,
mgorman@...e.de, linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm/mempolicy: fix potential mpol_new leak in
shared_policy_replace
On Fri 11-03-22 17:36:24, Miaohe Lin wrote:
> If mpol_new is allocated but not used in restart loop, mpol_new will be
> freed via mpol_put before returning to the caller. But refcnt is not
> initialized yet, so mpol_put could not do the right things and might
> leak the unused mpol_new.
The code is really hideous but is there really any bug there? AFAICS the
new policy is only allocated in if (n->end > end) branch and that one
will set the reference count on the retry. Or am I missing something?
> Fixes: 42288fe366c4 ("mm: mempolicy: Convert shared_policy mutex to spinlock")
> Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
> ---
> mm/mempolicy.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index 34d2b29c96ad..f19f19d3558b 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -2733,6 +2733,7 @@ static int shared_policy_replace(struct shared_policy *sp, unsigned long start,
> mpol_new = kmem_cache_alloc(policy_cache, GFP_KERNEL);
> if (!mpol_new)
> goto err_out;
> + refcount_set(&mpol_new->refcnt, 1);
> goto restart;
> }
>
> --
> 2.23.0
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists