From: Greg Kroah-Hartman Date: Sat, 1 Aug 2015 00:02:44 +0000 (-0700) Subject: 4.1-stable patches X-Git-Tag: v4.1.4~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1cb287bae4644a84d7b8bbbabce0c72a0138e47d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.1-stable patches added patches: mm-avoid-setting-up-anonymous-pages-into-file-mapping.patch --- diff --git a/queue-4.1/mm-avoid-setting-up-anonymous-pages-into-file-mapping.patch b/queue-4.1/mm-avoid-setting-up-anonymous-pages-into-file-mapping.patch new file mode 100644 index 00000000000..f4b4699fd83 --- /dev/null +++ b/queue-4.1/mm-avoid-setting-up-anonymous-pages-into-file-mapping.patch @@ -0,0 +1,76 @@ +From 6b7339f4c31ad69c8e9c0b2859276e22cf72176d Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 6 Jul 2015 23:18:37 +0300 +Subject: mm: avoid setting up anonymous pages into file mapping + +From: "Kirill A. Shutemov" + +commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d upstream. + +Reading page fault handler code I've noticed that under right +circumstances kernel would map anonymous pages into file mappings: if +the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated +on ->mmap(), kernel would handle page fault to not populated pte with +do_anonymous_page(). + +Let's change page fault handler to use do_anonymous_page() only on +anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not +shared. + +For file mappings without vm_ops->fault() or shred VMA without vm_ops, +page fault on pte_none() entry would lead to SIGBUS. + +Signed-off-by: Kirill A. Shutemov +Acked-by: Oleg Nesterov +Cc: Andrew Morton +Cc: Willy Tarreau +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2669,6 +2669,10 @@ static int do_anonymous_page(struct mm_s + + pte_unmap(page_table); + ++ /* File mapping without ->vm_ops ? */ ++ if (vma->vm_flags & VM_SHARED) ++ return VM_FAULT_SIGBUS; ++ + /* Check if we need to add a guard page to the stack */ + if (check_stack_guard_page(vma, address) < 0) + return VM_FAULT_SIGSEGV; +@@ -3097,6 +3101,9 @@ static int do_fault(struct mm_struct *mm + - vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff; + + pte_unmap(page_table); ++ /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */ ++ if (!vma->vm_ops->fault) ++ return VM_FAULT_SIGBUS; + if (!(flags & FAULT_FLAG_WRITE)) + return do_read_fault(mm, vma, address, pmd, pgoff, flags, + orig_pte); +@@ -3242,13 +3249,12 @@ static int handle_pte_fault(struct mm_st + barrier(); + if (!pte_present(entry)) { + if (pte_none(entry)) { +- if (vma->vm_ops) { +- if (likely(vma->vm_ops->fault)) +- return do_fault(mm, vma, address, pte, +- pmd, flags, entry); +- } +- return do_anonymous_page(mm, vma, address, +- pte, pmd, flags); ++ if (vma->vm_ops) ++ return do_fault(mm, vma, address, pte, pmd, ++ flags, entry); ++ ++ return do_anonymous_page(mm, vma, address, pte, pmd, ++ flags); + } + return do_swap_page(mm, vma, address, + pte, pmd, flags, entry); diff --git a/queue-4.1/series b/queue-4.1/series index 6c87c890adb..cb17703615e 100644 --- a/queue-4.1/series +++ b/queue-4.1/series @@ -265,3 +265,4 @@ arm-8397-1-fix-vdsomunge-not-to-depend-on-glibc-specific-error.h.patch hpfs-kstrdup-out-of-memory-handling.patch hpfs-hpfs_error-remove-static-buffer-use-vsprintf-extension-pv-instead.patch fix-firmware-loader-uevent-buffer-null-pointer-dereference.patch +mm-avoid-setting-up-anonymous-pages-into-file-mapping.patch