The patch titled Subject: mm/mempolicy.c: fix out of bounds write in mpol_parse_str() has been added to the -mm tree. Its filename is mm-mempolicyc-fix-out-of-bounds-write-in-mpol_parse_str.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-mempolicyc-fix-out-of-bounds-write-in-mpol_parse_str.patch and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-mempolicyc-fix-out-of-bounds-write-in-mpol_parse_str.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Subject: mm/mempolicy.c: fix out of bounds write in mpol_parse_str() What we are trying to do is change the '=' character to a NUL terminator and then at the end of the function we restore it back to an '='. The problem is there are two error paths where we jump to the end of the function before we have replaced the '=' with NUL. We end up putting the '=' in the wrong place (possibly one element before the start of the buffer). Link: http://lkml.kernel.org/r/20200115055426.vdjwvry44nfug7yy@kili.mountain Reported-by: syzbot+e64a13c5369a194d67df@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 095f1fc4ebf3 ("mempolicy: rework shmem mpol parsing and display") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Acked-by: Vlastimil Babka <vbabka@xxxxxxx> Dmitry Vyukov <dvyukov@xxxxxxxxxx> Cc: Michal Hocko <mhocko@xxxxxxxxxx> Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Cc: Lee Schermerhorn <lee.schermerhorn@xxxxxx> Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx> Cc: Hugh Dickins <hughd@xxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/mempolicy.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/mempolicy.c~mm-mempolicyc-fix-out-of-bounds-write-in-mpol_parse_str +++ a/mm/mempolicy.c @@ -2821,6 +2821,9 @@ int mpol_parse_str(char *str, struct mem char *flags = strchr(str, '='); int err = 1, mode; + if (flags) + *flags++ = '\0'; /* terminate mode string */ + if (nodelist) { /* NUL-terminate mode or flags string */ *nodelist++ = '\0'; @@ -2831,9 +2834,6 @@ int mpol_parse_str(char *str, struct mem } else nodes_clear(nodes); - if (flags) - *flags++ = '\0'; /* terminate mode string */ - mode = match_string(policy_modes, MPOL_MAX, str); if (mode < 0) goto out; _ Patches currently in -mm which might be from dan.carpenter@xxxxxxxxxx are mm-mempolicyc-fix-out-of-bounds-write-in-mpol_parse_str.patch zswap-potential-null-dereference-on-error-in-init_zswap.patch