CVE-2014-3940 missing check during hugepage migration (rhbz 1104097 1105042)

kernel.spec

@@ -642,6 +642,9 @@ Patch25071: s390-appldata-add-slab.h-for-kzalloc-kfree.patch
 # CVE-2014-3917 rhbz 1102571 1102715
 Patch25093: auditsc-audit_krule-mask-accesses-need-bounds-checking.patch
 
+# CVE-2014-3940 rhbz 1104097 1105042
+Patch25094: mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch
+
 Patch26000: perf-lib64.patch
 
 # Patch series from Hans for various backlight and platform driver fixes
@@ -1395,6 +1398,10 @@ ApplyPatch acpi-video-Unregister-the-backlight-device-if-a-raw-.patch
 ApplyPatch acpi-video-Add-use-native-backlight-quirk-for-the-Th.patch
 ApplyPatch acpi-video-Add-use_native_backlight-quirk-for-HP-Pro.patch
 
+
+# CVE-2014-3940 rhbz 1104097 1105042
+ApplyPatch mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2268,6 +2275,7 @@ fi
 #                                    ||     ||
 %changelog
 * Fri Jun 06 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.15.0-0.rc8.git4.1
+- CVE-2014-3940 missing check during hugepage migration (rhbz 1104097 1105042)
 - Linux v3.15-rc8-81-g951e273060d1
 
 * Thu Jun 05 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.15.0-0.rc8.git3.1

mm-add-pte_present-check-on-existing-hugetlb_entry-callbacks.patch

@@ -0,0 +1,71 @@
+Bugzilla: 1104097 1105042
+Upstream-status: Queued in linux-next, CC'd to stable
+
+From ecc894926ef62080c2a4c4286eccce9d2f30f05a Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Fri, 6 Jun 2014 10:00:01 -0400
+Subject: [PATCH] mm: add !pte_present() check on existing hugetlb_entry
+ callbacks
+
+Page table walker doesn't check non-present hugetlb entry in common path,
+so hugetlb_entry() callbacks must check it. The reason for this behavior
+is that some callers want to handle it in its own way.
+
+However, some callers don't check it now, which causes unpredictable
+result, for example when we have a race between migrating hugepage and
+reading /proc/pid/numa_maps. This patch fixes it by adding !pte_present
+checks on buggy callbacks.
+
+This bug exists for years and got visible by introducing hugepage migration.
+
+ChangeLog v2:
+- fix if condition (check !pte_present() instead of pte_present())
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: <stable@vger.kernel.org> [3.12+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+
+[ Backported to 3.15.  Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ]
+---
+ fs/proc/task_mmu.c | 3 +++
+ mm/mempolicy.c     | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
+index 442177b1119a..89620cdb57c9 100644
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -1354,6 +1354,9 @@ static int gather_hugetbl_stats(pte_t *pte, unsigned long hmask,
+ 	if (pte_none(*pte))
+ 		return 0;
+ 
++	if (!pte_present(*pte))
++		return 0;
++
+ 	page = pte_page(*pte);
+ 	if (!page)
+ 		return 0;
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 78e1472933ea..30cc47f8ffa0 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -526,9 +526,13 @@ static void queue_pages_hugetlb_pmd_range(struct vm_area_struct *vma,
+ 	int nid;
+ 	struct page *page;
+ 	spinlock_t *ptl;
++	pte_t entry;
+ 
+ 	ptl = huge_pte_lock(hstate_vma(vma), vma->vm_mm, (pte_t *)pmd);
+-	page = pte_page(huge_ptep_get((pte_t *)pmd));
++	entry = huge_ptep_get((pte_t *)pmd);
++	if (!pte_present(entry))
++		goto unlock;
++	page = pte_page(entry);
+ 	nid = page_to_nid(page);
+ 	if (node_isset(nid, *nodes) == !!(flags & MPOL_MF_INVERT))
+ 		goto unlock;
+-- 
+1.9.3
+