From: Greg Kroah-Hartman Date: Fri, 19 Apr 2013 18:40:15 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.8.9~21^2~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=acf37e5b0e2ee7d2ec26916752e70d66e08101a5;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch --- diff --git a/queue-3.4/hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch b/queue-3.4/hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch new file mode 100644 index 00000000000..7b64b833051 --- /dev/null +++ b/queue-3.4/hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch @@ -0,0 +1,75 @@ +From 9cc3a5bd40067b9a0fbd49199d0780463fc2140f Mon Sep 17 00:00:00 2001 +From: Naoya Horiguchi +Date: Wed, 17 Apr 2013 15:58:30 -0700 +Subject: hugetlbfs: add swap entry check in follow_hugetlb_page() + +From: Naoya Horiguchi + +commit 9cc3a5bd40067b9a0fbd49199d0780463fc2140f upstream. + +With applying the previous patch "hugetlbfs: stop setting VM_DONTDUMP in +initializing vma(VM_HUGETLB)" to reenable hugepage coredump, if a memory +error happens on a hugepage and the affected processes try to access the +error hugepage, we hit VM_BUG_ON(atomic_read(&page->_count) <= 0) in +get_page(). + +The reason for this bug is that coredump-related code doesn't recognise +"hugepage hwpoison entry" with which a pmd entry is replaced when a memory +error occurs on a hugepage. + +In other words, physical address information is stored in different bit +layout between hugepage hwpoison entry and pmd entry, so +follow_hugetlb_page() which is called in get_dump_page() returns a wrong +page from a given address. + +The expected behavior is like this: + + absent is_swap_pte FOLL_DUMP Expected behavior + ------------------------------------------------------------------- + true false false hugetlb_fault + false true false hugetlb_fault + false false false return page + true false true skip page (to avoid allocation) + false true true hugetlb_fault + false false true return page + +With this patch, we can call hugetlb_fault() and take proper actions (we +wait for migration entries, fail with VM_FAULT_HWPOISON_LARGE for +hwpoisoned entries,) and as the result we can dump all hugepages except +for hwpoisoned ones. + +Signed-off-by: Naoya Horiguchi +Cc: Rik van Riel +Acked-by: Michal Hocko +Cc: HATAYAMA Daisuke +Acked-by: KOSAKI Motohiro +Acked-by: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2906,7 +2906,17 @@ int follow_hugetlb_page(struct mm_struct + break; + } + +- if (absent || ++ /* ++ * We need call hugetlb_fault for both hugepages under migration ++ * (in which case hugetlb_fault waits for the migration,) and ++ * hwpoisoned hugepages (in which case we need to prevent the ++ * caller from accessing to them.) In order to do this, we use ++ * here is_swap_pte instead of is_hugetlb_entry_migration and ++ * is_hugetlb_entry_hwpoisoned. This is because it simply covers ++ * both cases, and because we can't follow correct pages ++ * directly from any kind of swap entries. ++ */ ++ if (absent || is_swap_pte(huge_ptep_get(pte)) || + ((flags & FOLL_WRITE) && !pte_write(huge_ptep_get(pte)))) { + int ret; + diff --git a/queue-3.4/kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch b/queue-3.4/kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch new file mode 100644 index 00000000000..762e0097ae9 --- /dev/null +++ b/queue-3.4/kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch @@ -0,0 +1,50 @@ +From b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f Mon Sep 17 00:00:00 2001 +From: Emese Revfy +Date: Wed, 17 Apr 2013 15:58:36 -0700 +Subject: kernel/signal.c: stop info leak via the tkill and the tgkill syscalls + +From: Emese Revfy + +commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream. + +This fixes a kernel memory contents leak via the tkill and tgkill syscalls +for compat processes. + +This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field +when handling signals delivered from tkill. + +The place of the infoleak: + +int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) +{ + ... + put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); + ... +} + +Signed-off-by: Emese Revfy +Reviewed-by: PaX Team +Signed-off-by: Kees Cook +Cc: Al Viro +Cc: Oleg Nesterov +Cc: "Eric W. Biederman" +Cc: Serge Hallyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2867,7 +2867,7 @@ do_send_specific(pid_t tgid, pid_t pid, + + static int do_tkill(pid_t tgid, pid_t pid, int sig) + { +- struct siginfo info; ++ struct siginfo info = {}; + + info.si_signo = sig; + info.si_errno = 0; diff --git a/queue-3.4/series b/queue-3.4/series index 6659be4bfcd..408a9ec0437 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1,3 +1,5 @@ arm-do-15e0d9e37c-arm-pm-let-platforms-select-cpu_suspend-support-properly.patch hrtimer-don-t-reinitialize-a-cpu_base-lock-on-cpu_up.patch can-sja1000-fix-handling-on-dt-properties-on-little-endian-systems.patch +hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch +kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch