[PATCH 4.7 051/184] mm, mempolicy: task->mempolicy must be NULL before dropping final reference

2016-09-22 Thread Greg Kroah-Hartman 
4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: David Rientjes 

commit c11600e4fed67ae4cd6a8096936afd445410e8ed upstream.

KASAN allocates memory from the page allocator as part of
kmem_cache_free(), and that can reference current->mempolicy through any
number of allocation functions.  It needs to be NULL'd out before the
final reference is dropped to prevent a use-after-free bug:

BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr 
88010b48102c
CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140
...
Call Trace:
dump_stack
kasan_object_err
kasan_report_error
__asan_report_load2_noabort
alloc_pages_current <-- use after free
depot_save_stack
save_stack
kasan_slab_free
kmem_cache_free
__mpol_put  <-- free
do_exit

This patch sets current->mempolicy to NULL before dropping the final
reference.

Link: 
http://lkml.kernel.org/r/alpine.deb.2.10.1608301442180.63...@chino.kir.corp.google.com
Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot 
for SLAB")
Signed-off-by: David Rientjes 
Reported-by: Vegard Nossum 
Acked-by: Andrey Ryabinin 
Cc: Alexander Potapenko 
Cc: Dmitry Vyukov 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/mempolicy.h |4 
 kernel/exit.c |7 +--
 mm/mempolicy.c|   17 +
 3 files changed, 22 insertions(+), 6 deletions(-)

--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -195,6 +195,7 @@ static inline bool vma_migratable(struct
 }
 
 extern int mpol_misplaced(struct page *, struct vm_area_struct *, unsigned 
long);
+extern void mpol_put_task_policy(struct task_struct *);
 
 #else
 
@@ -297,5 +298,8 @@ static inline int mpol_misplaced(struct
return -1; /* no node preference */
 }
 
+static inline void mpol_put_task_policy(struct task_struct *task)
+{
+}
 #endif /* CONFIG_NUMA */
 #endif
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -768,12 +768,7 @@ void do_exit(long code)
TASKS_RCU(preempt_enable());
exit_notify(tsk, group_dead);
proc_exit_connector(tsk);
-#ifdef CONFIG_NUMA
-   task_lock(tsk);
-   mpol_put(tsk->mempolicy);
-   tsk->mempolicy = NULL;
-   task_unlock(tsk);
-#endif
+   mpol_put_task_policy(tsk);
 #ifdef CONFIG_FUTEX
if (unlikely(current->pi_state_cache))
kfree(current->pi_state_cache);
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2334,6 +2334,23 @@ out:
return ret;
 }
 
+/*
+ * Drop the (possibly final) reference to task->mempolicy.  It needs to be
+ * dropped after task->mempolicy is set to NULL so that any allocation done as
+ * part of its kmem_cache_free(), such as by KASAN, doesn't reference a freed
+ * policy.
+ */
+void mpol_put_task_policy(struct task_struct *task)
+{
+   struct mempolicy *pol;
+
+   task_lock(task);
+   pol = task->mempolicy;
+   task->mempolicy = NULL;
+   task_unlock(task);
+   mpol_put(pol);
+}
+
 static void sp_delete(struct shared_policy *sp, struct sp_node *n)
 {
pr_debug("deleting %lx-l%lx\n", n->start, n->end);

[PATCH 4.7 051/184] mm, mempolicy: task->mempolicy must be NULL before dropping final reference

2016-09-22 Thread Greg Kroah-Hartman 
4.7-stable review patch.  If anyone has any objections, please let me know.

--

From: David Rientjes 

commit c11600e4fed67ae4cd6a8096936afd445410e8ed upstream.

KASAN allocates memory from the page allocator as part of
kmem_cache_free(), and that can reference current->mempolicy through any
number of allocation functions.  It needs to be NULL'd out before the
final reference is dropped to prevent a use-after-free bug:

BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr 
88010b48102c
CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140
...
Call Trace:
dump_stack
kasan_object_err
kasan_report_error
__asan_report_load2_noabort
alloc_pages_current <-- use after free
depot_save_stack
save_stack
kasan_slab_free
kmem_cache_free
__mpol_put  <-- free
do_exit

This patch sets current->mempolicy to NULL before dropping the final
reference.

Link: 
http://lkml.kernel.org/r/alpine.deb.2.10.1608301442180.63...@chino.kir.corp.google.com
Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot 
for SLAB")
Signed-off-by: David Rientjes 
Reported-by: Vegard Nossum 
Acked-by: Andrey Ryabinin 
Cc: Alexander Potapenko 
Cc: Dmitry Vyukov 
Signed-off-by: Andrew Morton 
Signed-off-by: Linus Torvalds 
Signed-off-by: Greg Kroah-Hartman 

---
 include/linux/mempolicy.h |4 
 kernel/exit.c |7 +--
 mm/mempolicy.c|   17 +
 3 files changed, 22 insertions(+), 6 deletions(-)

--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -195,6 +195,7 @@ static inline bool vma_migratable(struct
 }
 
 extern int mpol_misplaced(struct page *, struct vm_area_struct *, unsigned 
long);
+extern void mpol_put_task_policy(struct task_struct *);
 
 #else
 
@@ -297,5 +298,8 @@ static inline int mpol_misplaced(struct
return -1; /* no node preference */
 }
 
+static inline void mpol_put_task_policy(struct task_struct *task)
+{
+}
 #endif /* CONFIG_NUMA */
 #endif
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -768,12 +768,7 @@ void do_exit(long code)
TASKS_RCU(preempt_enable());
exit_notify(tsk, group_dead);
proc_exit_connector(tsk);
-#ifdef CONFIG_NUMA
-   task_lock(tsk);
-   mpol_put(tsk->mempolicy);
-   tsk->mempolicy = NULL;
-   task_unlock(tsk);
-#endif
+   mpol_put_task_policy(tsk);
 #ifdef CONFIG_FUTEX
if (unlikely(current->pi_state_cache))
kfree(current->pi_state_cache);
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2334,6 +2334,23 @@ out:
return ret;
 }
 
+/*
+ * Drop the (possibly final) reference to task->mempolicy.  It needs to be
+ * dropped after task->mempolicy is set to NULL so that any allocation done as
+ * part of its kmem_cache_free(), such as by KASAN, doesn't reference a freed
+ * policy.
+ */
+void mpol_put_task_policy(struct task_struct *task)
+{
+   struct mempolicy *pol;
+
+   task_lock(task);
+   pol = task->mempolicy;
+   task->mempolicy = NULL;
+   task_unlock(task);
+   mpol_put(pol);
+}
+
 static void sp_delete(struct shared_policy *sp, struct sp_node *n)
 {
pr_debug("deleting %lx-l%lx\n", n->start, n->end);