CVE-2012-2390 huge pages: memory leak on mmap failure (rhbz 824352 824345)
This commit is contained in:
parent
32cdc846dd
commit
f9d1ef9da6
|
@ -0,0 +1,108 @@
|
|||
From c50ac050811d6485616a193eb0f37bfbd191cc89 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Hansen <dave@linux.vnet.ibm.com>
|
||||
Date: Tue, 29 May 2012 15:06:46 -0700
|
||||
Subject: [PATCH] hugetlb: fix resv_map leak in error path
|
||||
|
||||
When called for anonymous (non-shared) mappings, hugetlb_reserve_pages()
|
||||
does a resv_map_alloc(). It depends on code in hugetlbfs's
|
||||
vm_ops->close() to release that allocation.
|
||||
|
||||
However, in the mmap() failure path, we do a plain unmap_region() without
|
||||
the remove_vma() which actually calls vm_ops->close().
|
||||
|
||||
This is a decent fix. This leak could get reintroduced if new code (say,
|
||||
after hugetlb_reserve_pages() in hugetlbfs_file_mmap()) decides to return
|
||||
an error. But, I think it would have to unroll the reservation anyway.
|
||||
|
||||
Christoph's test case:
|
||||
|
||||
http://marc.info/?l=linux-mm&m=133728900729735
|
||||
|
||||
This patch applies to 3.4 and later. A version for earlier kernels is at
|
||||
https://lkml.org/lkml/2012/5/22/418.
|
||||
|
||||
Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
|
||||
Acked-by: Mel Gorman <mel@csn.ul.ie>
|
||||
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
||||
Reported-by: Christoph Lameter <cl@linux.com>
|
||||
Tested-by: Christoph Lameter <cl@linux.com>
|
||||
Cc: Andrea Arcangeli <aarcange@redhat.com>
|
||||
Cc: <stable@vger.kernel.org> [2.6.32+]
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
mm/hugetlb.c | 28 ++++++++++++++++++++++------
|
||||
1 files changed, 22 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
|
||||
index 41a647d..285a81e 100644
|
||||
--- a/mm/hugetlb.c
|
||||
+++ b/mm/hugetlb.c
|
||||
@@ -2157,6 +2157,15 @@ static void hugetlb_vm_op_open(struct vm_area_struct *vma)
|
||||
kref_get(&reservations->refs);
|
||||
}
|
||||
|
||||
+static void resv_map_put(struct vm_area_struct *vma)
|
||||
+{
|
||||
+ struct resv_map *reservations = vma_resv_map(vma);
|
||||
+
|
||||
+ if (!reservations)
|
||||
+ return;
|
||||
+ kref_put(&reservations->refs, resv_map_release);
|
||||
+}
|
||||
+
|
||||
static void hugetlb_vm_op_close(struct vm_area_struct *vma)
|
||||
{
|
||||
struct hstate *h = hstate_vma(vma);
|
||||
@@ -2173,7 +2182,7 @@ static void hugetlb_vm_op_close(struct vm_area_struct *vma)
|
||||
reserve = (end - start) -
|
||||
region_count(&reservations->regions, start, end);
|
||||
|
||||
- kref_put(&reservations->refs, resv_map_release);
|
||||
+ resv_map_put(vma);
|
||||
|
||||
if (reserve) {
|
||||
hugetlb_acct_memory(h, -reserve);
|
||||
@@ -2991,12 +3000,16 @@ int hugetlb_reserve_pages(struct inode *inode,
|
||||
set_vma_resv_flags(vma, HPAGE_RESV_OWNER);
|
||||
}
|
||||
|
||||
- if (chg < 0)
|
||||
- return chg;
|
||||
+ if (chg < 0) {
|
||||
+ ret = chg;
|
||||
+ goto out_err;
|
||||
+ }
|
||||
|
||||
/* There must be enough pages in the subpool for the mapping */
|
||||
- if (hugepage_subpool_get_pages(spool, chg))
|
||||
- return -ENOSPC;
|
||||
+ if (hugepage_subpool_get_pages(spool, chg)) {
|
||||
+ ret = -ENOSPC;
|
||||
+ goto out_err;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Check enough hugepages are available for the reservation.
|
||||
@@ -3005,7 +3018,7 @@ int hugetlb_reserve_pages(struct inode *inode,
|
||||
ret = hugetlb_acct_memory(h, chg);
|
||||
if (ret < 0) {
|
||||
hugepage_subpool_put_pages(spool, chg);
|
||||
- return ret;
|
||||
+ goto out_err;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -3022,6 +3035,9 @@ int hugetlb_reserve_pages(struct inode *inode,
|
||||
if (!vma || vma->vm_flags & VM_MAYSHARE)
|
||||
region_add(&inode->i_mapping->private_list, from, to);
|
||||
return 0;
|
||||
+out_err:
|
||||
+ resv_map_put(vma);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
void hugetlb_unreserve_pages(struct inode *inode, long offset, long freed)
|
||||
--
|
||||
1.7.7.6
|
||||
|
10
kernel.spec
10
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# When changing real_sublevel below, reset this by hand to 1
|
||||
# (or to 0 and then use rpmdev-bumpspec).
|
||||
#
|
||||
%global baserelease 2
|
||||
%global baserelease 3
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# real_sublevel is the 3.x kernel version we're starting with
|
||||
|
@ -709,6 +709,8 @@ Patch22020: rtlwifi-fix-for-race-condition-when-firmware-is-cach.patch
|
|||
#rhbz 822825 822821 CVE-2012-2372
|
||||
Patch22021: mm-pmd_read_atomic-fix-32bit-PAE-pmd-walk-vs-pmd_populate-SMP-race-condition.patch
|
||||
|
||||
#rhbz 824352 824345 CVE-2012-2390
|
||||
Patch22022: hugetlb-fix-resv_map-leak-in-error-path.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
|
@ -1310,6 +1312,9 @@ ApplyPatch rtlwifi-fix-for-race-condition-when-firmware-is-cach.patch
|
|||
#rhbz 822825 822821 CVE-2012-2372
|
||||
ApplyPatch mm-pmd_read_atomic-fix-32bit-PAE-pmd-walk-vs-pmd_populate-SMP-race-condition.patch
|
||||
|
||||
#rhbz 824352 824345 CVE-2012-2390
|
||||
ApplyPatch hugetlb-fix-resv_map-leak-in-error-path.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -1962,6 +1967,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Wed May 30 2012 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2012-2390 huge pages: memory leak on mmap failure (rhbz 824352 824345)
|
||||
|
||||
* Thu May 24 2012 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2012-2372 mm: 32bit PAE pmd walk vs populate SMP race (rhbz 822821 822825)
|
||||
|
||||
|
|
Loading…
Reference in New Issue