CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804)
This commit is contained in:
parent
927ec95fb5
commit
d8be0409b7
|
@ -0,0 +1,86 @@
|
|||
From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001
|
||||
From: Mike Kravetz <mike.kravetz@oracle.com>
|
||||
Date: Fri, 15 Jan 2016 16:57:37 -0800
|
||||
Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
|
||||
|
||||
Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
|
||||
argument end is of type pgoff_t. It was being converted to a vaddr
|
||||
offset and passed to unmap_hugepage_range. However, end was also being
|
||||
used as an argument to the vma_interval_tree_foreach controlling loop.
|
||||
In addition, the conversion of end to vaddr offset was incorrect.
|
||||
|
||||
hugetlb_vmtruncate_list is called as part of a file truncate or
|
||||
fallocate hole punch operation.
|
||||
|
||||
When truncating a hugetlbfs file, this bug could prevent some pages from
|
||||
being unmapped. This is possible if there are multiple vmas mapping the
|
||||
file, and there is a sufficiently sized hole between the mappings. The
|
||||
size of the hole between two vmas (A,B) must be such that the starting
|
||||
virtual address of B is greater than (ending virtual address of A <<
|
||||
PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
|
||||
pages are not properly unmapped during truncate, the following BUG is
|
||||
hit:
|
||||
|
||||
kernel BUG at fs/hugetlbfs/inode.c:428!
|
||||
|
||||
In the fallocate hole punch case, this bug could prevent pages from
|
||||
being unmapped as in the truncate case. However, for hole punch the
|
||||
result is that unmapped pages will not be removed during the operation.
|
||||
For hole punch, it is also possible that more pages than desired will be
|
||||
unmapped. This unnecessary unmapping will cause page faults to
|
||||
reestablish the mappings on subsequent page access.
|
||||
|
||||
Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
|
||||
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
|
||||
Cc: Hugh Dickins <hughd@google.com>
|
||||
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
|
||||
Cc: Davidlohr Bueso <dave@stgolabs.net>
|
||||
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
||||
Cc: <stable@vger.kernel.org> [4.3]
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
fs/hugetlbfs/inode.c | 19 +++++++++++--------
|
||||
1 file changed, 11 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
|
||||
index bbc333b01ca3..9c07d2d754c9 100644
|
||||
--- a/fs/hugetlbfs/inode.c
|
||||
+++ b/fs/hugetlbfs/inode.c
|
||||
@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||
*/
|
||||
vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
|
||||
unsigned long v_offset;
|
||||
+ unsigned long v_end;
|
||||
|
||||
/*
|
||||
* Can the expression below overflow on 32-bit arches?
|
||||
@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||
else
|
||||
v_offset = 0;
|
||||
|
||||
- if (end) {
|
||||
- end = ((end - start) << PAGE_SHIFT) +
|
||||
- vma->vm_start + v_offset;
|
||||
- if (end > vma->vm_end)
|
||||
- end = vma->vm_end;
|
||||
- } else
|
||||
- end = vma->vm_end;
|
||||
+ if (!end)
|
||||
+ v_end = vma->vm_end;
|
||||
+ else {
|
||||
+ v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT)
|
||||
+ + vma->vm_start;
|
||||
+ if (v_end > vma->vm_end)
|
||||
+ v_end = vma->vm_end;
|
||||
+ }
|
||||
|
||||
- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL);
|
||||
+ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end,
|
||||
+ NULL);
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.5.0
|
||||
|
|
@ -628,6 +628,9 @@ Patch645: cfg80211-wext-fix-message-ordering.patch
|
|||
#rhbz 1255325
|
||||
Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||
|
||||
#CVE-2016-0617 rhbz 1305803 1305804
|
||||
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -2071,6 +2074,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Tue Feb 09 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804)
|
||||
|
||||
* Mon Feb 01 2016 Laura Abbott <labbott@fedoraproject.org>
|
||||
- Linux v4.4.1
|
||||
|
||||
|
|
Loading…
Reference in New Issue