From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 11 May 2013 22:25:01 +0000 (-0700)
Subject: 3.9-stable patches
X-Git-Tag: v3.0.79~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2bee7217d8f3e7219e774bb42656e9c50cb2ff1;p=thirdparty%2Fkernel%2Fstable-queue.git

3.9-stable patches

added patches:
	shm-fix-null-pointer-deref-when-userspace-specifies-invalid-hugepage-size.patch
---

diff --git a/queue-3.9/series b/queue-3.9/series
index b51f0fa9874..55b1a9b7a48 100644
--- a/queue-3.9/series
+++ b/queue-3.9/series
@@ -25,3 +25,4 @@ nfsd4-don-t-allow-owner-override-on-4.1-claim_fh-opens.patch
 nfsd-fix-oops-when-legacy_recdir_name_error-is-passed-a.patch
 hp_accel-ignore-the-error-from-lis3lv02d_poweron-at-resume.patch
 x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch
+shm-fix-null-pointer-deref-when-userspace-specifies-invalid-hugepage-size.patch
diff --git a/queue-3.9/shm-fix-null-pointer-deref-when-userspace-specifies-invalid-hugepage-size.patch b/queue-3.9/shm-fix-null-pointer-deref-when-userspace-specifies-invalid-hugepage-size.patch
new file mode 100644
index 00000000000..aae02b3ea15
--- /dev/null
+++ b/queue-3.9/shm-fix-null-pointer-deref-when-userspace-specifies-invalid-hugepage-size.patch
@@ -0,0 +1,72 @@
+From 091d0d55b286c9340201b4ed4470be87fc568228 Mon Sep 17 00:00:00 2001
+From: Li Zefan <lizefan@huawei.com>
+Date: Thu, 9 May 2013 15:08:15 +0800
+Subject: shm: fix null pointer deref when userspace specifies invalid hugepage size
+
+From: Li Zefan <lizefan@huawei.com>
+
+commit 091d0d55b286c9340201b4ed4470be87fc568228 upstream.
+
+Dave reported an oops triggered by trinity:
+
+  BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+  IP: newseg+0x10d/0x390
+  PGD cf8c1067 PUD cf8c2067 PMD 0
+  Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+  CPU: 2 PID: 7636 Comm: trinity-child2 Not tainted 3.9.0+#67
+  ...
+  Call Trace:
+    ipcget+0x182/0x380
+    SyS_shmget+0x5a/0x60
+    tracesys+0xdd/0xe2
+
+This bug was introduced by commit af73e4d9506d ("hugetlbfs: fix mmap
+failure in unaligned size request").
+
+Reported-by: Dave Jones <davej@redhat.com>
+Signed-off-by: Li Zefan <lizfan@huawei.com>
+Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Acked-by: Rik van Riel <riel@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ ipc/shm.c |    8 +++++++-
+ mm/mmap.c |    8 ++++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+--- a/ipc/shm.c
++++ b/ipc/shm.c
+@@ -493,7 +493,13 @@ static int newseg(struct ipc_namespace *
+ 	if (shmflg & SHM_HUGETLB) {
+ 		struct hstate *hs = hstate_sizelog((shmflg >> SHM_HUGE_SHIFT)
+ 						& SHM_HUGE_MASK);
+-		size_t hugesize = ALIGN(size, huge_page_size(hs));
++		size_t hugesize;
++
++		if (!hs) {
++			error = -EINVAL;
++			goto no_file;
++		}
++		hugesize = ALIGN(size, huge_page_size(hs));
+ 
+ 		/* hugetlb_file_setup applies strict accounting */
+ 		if (shmflg & SHM_NORESERVE)
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1331,9 +1331,13 @@ SYSCALL_DEFINE6(mmap_pgoff, unsigned lon
+ 			len = ALIGN(len, huge_page_size(hstate_file(file)));
+ 	} else if (flags & MAP_HUGETLB) {
+ 		struct user_struct *user = NULL;
++		struct hstate *hs = hstate_sizelog((flags >> MAP_HUGE_SHIFT) &
++						   SHM_HUGE_MASK);
+ 
+-		len = ALIGN(len, huge_page_size(hstate_sizelog(
+-			(flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK)));
++		if (!hs)
++			return -EINVAL;
++
++		len = ALIGN(len, huge_page_size(hs));
+ 		/*
+ 		 * VM_NORESERVE is used because the reservations will be
+ 		 * taken when vm_ops->mmap() is called