CVE-2022-49257

In the Linux kernel, the following vulnerability has been resolved:

watch_queue: Fix NULL dereference in error cleanup

In watchqueueset_size(), the error cleanup code doesn't take account of the fact that _freepage() can't handle a NULL pointer when trying to free up buffer pages that did get allocated.

Fix this by only calling _freepage() on the pages actually allocated.

Without the fix, this can lead to something like the following:

BUG: KASAN: null-ptr-deref in __freepages+0x1f/0x1b0 mm/pagealloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor168/3599 ... Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dump_stack.c:106 __kasanreport mm/kasan/report.c:446 [inline] kasanreport.cold+0x66/0xdf mm/kasan/report.c:459 checkregioninline mm/kasan/generic.c:183 [inline] kasancheckrange+0x13d/0x180 mm/kasan/generic.c:189 instrumentatomicread include/linux/instrumented.h:71 [inline] atomicread include/linux/atomic/atomic-instrumented.h:27 [inline] pagerefcount include/linux/pageref.h:67 [inline] putpagetestzero include/linux/mm.h:717 [inline] __freepages+0x1f/0x1b0 mm/pagealloc.c:5473 watchqueuesetsize+0x499/0x630 kernel/watchqueue.c:275 pipeioctl+0xac/0x2b0 fs/pipe.c:632 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:874 [inline] __sesysioctl fs/ioctl.c:860 [inline] __x64sysioctl+0x193/0x200 fs/ioctl.c:860 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae