On 09/19/2016 09:55 PM, Andrew Morton wrote:
> On Wed, 24 Aug 2016 18:08:08 -0700 (PDT) David Rientjes <rient...@google.com> 
> wrote:
> 
>>> diff -puN lib/stackdepot.c~stackdepot-fix-mempolicy-use-after-free 
>>> lib/stackdepot.c
>>> --- a/lib/stackdepot.c~stackdepot-fix-mempolicy-use-after-free
>>> +++ a/lib/stackdepot.c
>>> @@ -243,6 +243,12 @@ depot_stack_handle_t depot_save_stack(st
>>>             alloc_flags &= ~GFP_ZONEMASK;
>>>             alloc_flags &= (GFP_ATOMIC | GFP_KERNEL);
>>>             alloc_flags |= __GFP_NOWARN;
>>> +           /*
>>> +            * Avoid using current->mempolicy which may already have
>>> +            * been freed -- we may be in the process of saving the
>>> +            * stack for exactly that __mpol_put() call.
>>> +            */
>>> +           alloc_flags |= __GFP_THISNODE;
>>>             page = alloc_pages(alloc_flags, STACK_ALLOC_ORDER);
>>>             if (page)
>>>                     prealloc = page_address(page);
>>
>> This is wrong, it unnecessarily restricts the allocation to a local node 
>> and has a greater chance to fail.  Passing __GFP_THISNODE here is only an 
>> implementation detail of mempolicies to avoid reference to freed policy.  
>> It is easy to fix by using alloc_pages_node(NUMA_NO_NODE, alloc_flags, 
>> STACK_ALLOC_ORDER) instead of alloc_pages() directly.
> 
> Any volunteers to test and send the patch?
> 

This already fixed in c11600e4fed67ae4cd6 ("mm, mempolicy: task->mempolicy must 
be NULL before dropping final reference")

Reply via email to