--- /dev/null
+From 373c4557d2aa362702c4c2d41288fb1e54990b7c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 14 Nov 2017 01:03:44 +0100
+Subject: mm/pagewalk.c: report holes in hugetlb ranges
+
+From: Jann Horn <jannh@google.com>
+
+commit 373c4557d2aa362702c4c2d41288fb1e54990b7c upstream.
+
+This matters at least for the mincore syscall, which will otherwise copy
+uninitialized memory from the page allocator to userspace. It is
+probably also a correctness error for /proc/$pid/pagemap, but I haven't
+tested that.
+
+Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has
+no effect because the caller already checks for that.
+
+This only reports holes in hugetlb ranges to callers who have specified
+a hugetlb_entry callback.
+
+This issue was found using an AFL-based fuzzer.
+
+v2:
+ - don't crash on ->pte_hole==NULL (Andrew Morton)
+ - add Cc stable (Andrew Morton)
+
+Changed for 4.4/4.9 stable backport:
+ - fix up conflict in the huge_pte_offset() call
+
+Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ mm/pagewalk.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/mm/pagewalk.c
++++ b/mm/pagewalk.c
+@@ -142,8 +142,12 @@ static int walk_hugetlb_range(unsigned l
+ do {
+ next = hugetlb_entry_end(h, addr, end);
+ pte = huge_pte_offset(walk->mm, addr & hmask);
+- if (pte && walk->hugetlb_entry)
++
++ if (pte)
+ err = walk->hugetlb_entry(pte, hmask, addr, next, walk);
++ else if (walk->pte_hole)
++ err = walk->pte_hole(addr, next, walk);
++
+ if (err)
+ break;
+ } while (addr = next, addr != end);
projects / thirdparty / kernel / stable-queue.git / commitdiff
