CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804)
This commit is contained in:
parent
927ec95fb5
commit
d8be0409b7
86
fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
Normal file
86
fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mike Kravetz <mike.kravetz@oracle.com>
|
||||||
|
Date: Fri, 15 Jan 2016 16:57:37 -0800
|
||||||
|
Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list()
|
||||||
|
|
||||||
|
Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The
|
||||||
|
argument end is of type pgoff_t. It was being converted to a vaddr
|
||||||
|
offset and passed to unmap_hugepage_range. However, end was also being
|
||||||
|
used as an argument to the vma_interval_tree_foreach controlling loop.
|
||||||
|
In addition, the conversion of end to vaddr offset was incorrect.
|
||||||
|
|
||||||
|
hugetlb_vmtruncate_list is called as part of a file truncate or
|
||||||
|
fallocate hole punch operation.
|
||||||
|
|
||||||
|
When truncating a hugetlbfs file, this bug could prevent some pages from
|
||||||
|
being unmapped. This is possible if there are multiple vmas mapping the
|
||||||
|
file, and there is a sufficiently sized hole between the mappings. The
|
||||||
|
size of the hole between two vmas (A,B) must be such that the starting
|
||||||
|
virtual address of B is greater than (ending virtual address of A <<
|
||||||
|
PAGE_SHIFT). In this case, the pages in B would not be unmapped. If
|
||||||
|
pages are not properly unmapped during truncate, the following BUG is
|
||||||
|
hit:
|
||||||
|
|
||||||
|
kernel BUG at fs/hugetlbfs/inode.c:428!
|
||||||
|
|
||||||
|
In the fallocate hole punch case, this bug could prevent pages from
|
||||||
|
being unmapped as in the truncate case. However, for hole punch the
|
||||||
|
result is that unmapped pages will not be removed during the operation.
|
||||||
|
For hole punch, it is also possible that more pages than desired will be
|
||||||
|
unmapped. This unnecessary unmapping will cause page faults to
|
||||||
|
reestablish the mappings on subsequent page access.
|
||||||
|
|
||||||
|
Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
|
||||||
|
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
|
||||||
|
Cc: Hugh Dickins <hughd@google.com>
|
||||||
|
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
|
||||||
|
Cc: Davidlohr Bueso <dave@stgolabs.net>
|
||||||
|
Cc: Dave Hansen <dave.hansen@linux.intel.com>
|
||||||
|
Cc: <stable@vger.kernel.org> [4.3]
|
||||||
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||||
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||||
|
---
|
||||||
|
fs/hugetlbfs/inode.c | 19 +++++++++++--------
|
||||||
|
1 file changed, 11 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
|
||||||
|
index bbc333b01ca3..9c07d2d754c9 100644
|
||||||
|
--- a/fs/hugetlbfs/inode.c
|
||||||
|
+++ b/fs/hugetlbfs/inode.c
|
||||||
|
@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||||
|
*/
|
||||||
|
vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
|
||||||
|
unsigned long v_offset;
|
||||||
|
+ unsigned long v_end;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Can the expression below overflow on 32-bit arches?
|
||||||
|
@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
|
||||||
|
else
|
||||||
|
v_offset = 0;
|
||||||
|
|
||||||
|
- if (end) {
|
||||||
|
- end = ((end - start) << PAGE_SHIFT) +
|
||||||
|
- vma->vm_start + v_offset;
|
||||||
|
- if (end > vma->vm_end)
|
||||||
|
- end = vma->vm_end;
|
||||||
|
- } else
|
||||||
|
- end = vma->vm_end;
|
||||||
|
+ if (!end)
|
||||||
|
+ v_end = vma->vm_end;
|
||||||
|
+ else {
|
||||||
|
+ v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT)
|
||||||
|
+ + vma->vm_start;
|
||||||
|
+ if (v_end > vma->vm_end)
|
||||||
|
+ v_end = vma->vm_end;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL);
|
||||||
|
+ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end,
|
||||||
|
+ NULL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.5.0
|
||||||
|
|
@ -628,6 +628,9 @@ Patch645: cfg80211-wext-fix-message-ordering.patch
|
|||||||
#rhbz 1255325
|
#rhbz 1255325
|
||||||
Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch
|
||||||
|
|
||||||
|
#CVE-2016-0617 rhbz 1305803 1305804
|
||||||
|
Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch
|
||||||
|
|
||||||
# END OF PATCH DEFINITIONS
|
# END OF PATCH DEFINITIONS
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
@ -2071,6 +2074,9 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 09 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
- CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804)
|
||||||
|
|
||||||
* Mon Feb 01 2016 Laura Abbott <labbott@fedoraproject.org>
|
* Mon Feb 01 2016 Laura Abbott <labbott@fedoraproject.org>
|
||||||
- Linux v4.4.1
|
- Linux v4.4.1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user