mlock: CVE-2017-18221

mlock: fix mlock count can not decrease in race condition

References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.1.y&id=00fc586ea7410ee8664bfd4f4ea246c60ea0482c

Change-Id: I10ada2a00c1b3cf2b0d455d47ecdb9cbeaae62e0
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 122 insertions, 0 deletions

diff --git a/patches/cve/4.1.x.scc b/patches/cve/4.1.x.scc
index 27a4241..2f3ae79 100644
--- a/patches/cve/4.1.x.scc
+++ b/patches/cve/4.1.x.scc
@@ -10,3 +10,4 @@ patch CVE-2017-7895-nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
 
 #fixed in 4.1.41
 patch CVE-2017-10661-timerfd-Protect-the-might-cancel-mechanism-proper.patch
+patch CVE-2017-18221-mlock-fix-mlock-count-can-not-decrease-in-race-condi.patch
diff --git a/patches/cve/CVE-2017-18221-mlock-fix-mlock-count-can-not-decrease-in-race-condi.patch b/patches/cve/CVE-2017-18221-mlock-fix-mlock-count-can-not-decrease-in-race-condi.patch
new file mode 100644
index 0000000..9ccf1a8
--- /dev/null
+++ b/patches/cve/CVE-2017-18221-mlock-fix-mlock-count-can-not-decrease-in-race-condi.patch
@@ -0,0 +1,121 @@
+From 00fc586ea7410ee8664bfd4f4ea246c60ea0482c Mon Sep 17 00:00:00 2001
+From: Yisheng Xie <xieyisheng1@huawei.com>
+Date: Fri, 2 Jun 2017 14:46:43 -0700
+Subject: [PATCH] mlock: fix mlock count can not decrease in race condition
+
+[ Upstream commit 70feee0e1ef331b22cc51f383d532a0d043fbdcc ]
+
+Kefeng reported that when running the follow test, the mlock count in
+meminfo will increase permanently:
+
+ [1] testcase
+ linux:~ # cat test_mlockal
+ grep Mlocked /proc/meminfo
+  for j in `seq 0 10`
+  do
+        for i in `seq 4 15`
+        do
+                ./p_mlockall >> log &
+        done
+        sleep 0.2
+ done
+ # wait some time to let mlock counter decrease and 5s may not enough
+ sleep 5
+ grep Mlocked /proc/meminfo
+
+ linux:~ # cat p_mlockall.c
+ #include <sys/mman.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+
+ #define SPACE_LEN      4096
+
+ int main(int argc, char ** argv)
+ {
+                int ret;
+                void *adr = malloc(SPACE_LEN);
+                if (!adr)
+                        return -1;
+
+                ret = mlockall(MCL_CURRENT | MCL_FUTURE);
+                printf("mlcokall ret = %d\n", ret);
+
+                ret = munlockall();
+                printf("munlcokall ret = %d\n", ret);
+
+                free(adr);
+                return 0;
+         }
+
+In __munlock_pagevec() we should decrement NR_MLOCK for each page where
+we clear the PageMlocked flag.  Commit 1ebb7cc6a583 ("mm: munlock: batch
+NR_MLOCK zone state updates") has introduced a bug where we don't
+decrement NR_MLOCK for pages where we clear the flag, but fail to
+isolate them from the lru list (e.g.  when the pages are on some other
+cpu's percpu pagevec).  Since PageMlocked stays cleared, the NR_MLOCK
+accounting gets permanently disrupted by this.
+
+Fix it by counting the number of page whose PageMlock flag is cleared.
+
+Fixes: 1ebb7cc6a583 (" mm: munlock: batch NR_MLOCK zone state updates")
+Link: http://lkml.kernel.org/r/1495678405-54569-1-git-send-email-xieyisheng1@huawei.com
+
+CVE: CVE-2017-18221  
+Upstream-Status: Backport  
+
+Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
+Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Tested-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Joern Engel <joern@logfs.org>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@suse.cz>
+Cc: Xishi Qiu <qiuxishi@huawei.com>
+Cc: zhongjiang <zhongjiang@huawei.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ mm/mlock.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/mm/mlock.c b/mm/mlock.c
+index 3d3ee6ca..00ff8c7 100644
+--- a/mm/mlock.c
++++ b/mm/mlock.c
+@@ -277,7 +277,7 @@ static void __munlock_pagevec(struct pagevec *pvec, struct zone *zone)
+ {
+        int i;
+        int nr = pagevec_count(pvec);
+-       int delta_munlocked;
++       int delta_munlocked = -nr;
+        struct pagevec pvec_putback;
+        int pgrescued = 0;
+ 
+@@ -297,6 +297,8 @@ static void __munlock_pagevec(struct pagevec *pvec, struct zone *zone)
+                                continue;
+                        else
+                                __munlock_isolation_failed(page);
++               } else {
++                       delta_munlocked++;
+                }
+ 
+                /*
+@@ -308,7 +310,6 @@ static void __munlock_pagevec(struct pagevec *pvec, struct zone *zone)
+                pagevec_add(&pvec_putback, pvec->pages[i]);
+                pvec->pages[i] = NULL;
+        }
+-       delta_munlocked = -nr + pagevec_count(&pvec_putback);
+        __mod_zone_page_state(zone, NR_MLOCK, delta_munlocked);
+        spin_unlock_irq(&zone->lru_lock);
+ 
+-- 
+2.7.4
+