From 7661632b0dc0dcd9a620a9047115555bc11362b8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 14 Feb 2013 11:46:02 -0800 Subject: [PATCH] 3.0-stable patches added patches: x86-mm-check-if-pud-is-large-when-validating-a-kernel-address.patch --- queue-3.0/series | 1 + ...rge-when-validating-a-kernel-address.patch | 82 +++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 queue-3.0/series create mode 100644 queue-3.0/x86-mm-check-if-pud-is-large-when-validating-a-kernel-address.patch diff --git a/queue-3.0/series b/queue-3.0/series new file mode 100644 index 00000000000..a8559c93e60 --- /dev/null +++ b/queue-3.0/series @@ -0,0 +1 @@ +x86-mm-check-if-pud-is-large-when-validating-a-kernel-address.patch diff --git a/queue-3.0/x86-mm-check-if-pud-is-large-when-validating-a-kernel-address.patch b/queue-3.0/x86-mm-check-if-pud-is-large-when-validating-a-kernel-address.patch new file mode 100644 index 00000000000..159c7c5d486 --- /dev/null +++ b/queue-3.0/x86-mm-check-if-pud-is-large-when-validating-a-kernel-address.patch @@ -0,0 +1,82 @@ +From 0ee364eb316348ddf3e0dfcd986f5f13f528f821 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Mon, 11 Feb 2013 14:52:36 +0000 +Subject: x86/mm: Check if PUD is large when validating a kernel address + +From: Mel Gorman + +commit 0ee364eb316348ddf3e0dfcd986f5f13f528f821 upstream. + +A user reported the following oops when a backup process reads +/proc/kcore: + + BUG: unable to handle kernel paging request at ffffbb00ff33b000 + IP: [] kern_addr_valid+0xbe/0x110 + [...] + + Call Trace: + [] read_kcore+0x17a/0x370 + [] proc_reg_read+0x77/0xc0 + [] vfs_read+0xc7/0x130 + [] sys_read+0x53/0xa0 + [] system_call_fastpath+0x16/0x1b + +Investigation determined that the bug triggered when reading +system RAM at the 4G mark. On this system, that was the first +address using 1G pages for the virt->phys direct mapping so the +PUD is pointing to a physical address, not a PMD page. + +The problem is that the page table walker in kern_addr_valid() is +not checking pud_large() and treats the physical address as if +it was a PMD. If it happens to look like pmd_none then it'll +silently fail, probably returning zeros instead of real data. If +the data happens to look like a present PMD though, it will be +walked resulting in the oops above. + +This patch adds the necessary pud_large() check. + +Unfortunately the problem was not readily reproducible and now +they are running the backup program without accessing +/proc/kcore so the patch has not been validated but I think it +makes sense. + +Signed-off-by: Mel Gorman +Reviewed-by: Rik van Riel +Reviewed-by: Michal Hocko +Acked-by: Johannes Weiner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pgtable.h | 5 +++++ + arch/x86/mm/init_64.c | 3 +++ + 2 files changed, 8 insertions(+) + +--- a/arch/x86/include/asm/pgtable.h ++++ b/arch/x86/include/asm/pgtable.h +@@ -142,6 +142,11 @@ static inline unsigned long pmd_pfn(pmd_ + return (pmd_val(pmd) & PTE_PFN_MASK) >> PAGE_SHIFT; + } + ++static inline unsigned long pud_pfn(pud_t pud) ++{ ++ return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT; ++} ++ + #define pte_page(pte) pfn_to_page(pte_pfn(pte)) + + static inline int pmd_large(pmd_t pte) +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -831,6 +831,9 @@ int kern_addr_valid(unsigned long addr) + if (pud_none(*pud)) + return 0; + ++ if (pud_large(*pud)) ++ return pfn_valid(pud_pfn(*pud)); ++ + pmd = pmd_offset(pud, addr); + if (pmd_none(*pmd)) + return 0; -- 2.47.3