From 9033926b3bcfd368c2993cc2ef61dae74ecee0c3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 1 Jun 2012 09:20:40 -0700 Subject: [PATCH] 3.4-stable patches added patches: mm-fix-vma_resv_map-null-pointer.patch --- .../mm-fix-vma_resv_map-null-pointer.patch | 68 +++++++++++++++++++ queue-3.4/series | 1 + 2 files changed, 69 insertions(+) create mode 100644 queue-3.4/mm-fix-vma_resv_map-null-pointer.patch diff --git a/queue-3.4/mm-fix-vma_resv_map-null-pointer.patch b/queue-3.4/mm-fix-vma_resv_map-null-pointer.patch new file mode 100644 index 00000000000..89c09e72079 --- /dev/null +++ b/queue-3.4/mm-fix-vma_resv_map-null-pointer.patch @@ -0,0 +1,68 @@ +From 4523e1458566a0e8ecfaff90f380dd23acc44d27 Mon Sep 17 00:00:00 2001 +From: Dave Hansen +Date: Wed, 30 May 2012 07:51:07 -0700 +Subject: mm: fix vma_resv_map() NULL pointer + +From: Dave Hansen + +commit 4523e1458566a0e8ecfaff90f380dd23acc44d27 upstream. + +hugetlb_reserve_pages() can be used for either normal file-backed +hugetlbfs mappings, or MAP_HUGETLB. In the MAP_HUGETLB, semi-anonymous +mode, there is not a VMA around. The new call to resv_map_put() assumed +that there was, and resulted in a NULL pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 + IP: vma_resv_map+0x9/0x30 + PGD 141453067 PUD 1421e1067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP + ... + Pid: 14006, comm: trinity-child6 Not tainted 3.4.0+ #36 + RIP: vma_resv_map+0x9/0x30 + ... + Process trinity-child6 (pid: 14006, threadinfo ffff8801414e0000, task ffff8801414f26b0) + Call Trace: + resv_map_put+0xe/0x40 + hugetlb_reserve_pages+0xa6/0x1d0 + hugetlb_file_setup+0x102/0x2c0 + newseg+0x115/0x360 + ipcget+0x1ce/0x310 + sys_shmget+0x5a/0x60 + system_call_fastpath+0x16/0x1b + +This was reported by Dave Jones, but was reproducible with the +libhugetlbfs test cases, so shame on me for not running them in the +first place. + +With this, the oops is gone, and the output of libhugetlbfs's +run_tests.py is identical to plain 3.4 again. + +[ Marked for stable, since this was introduced by commit c50ac050811d + ("hugetlb: fix resv_map leak in error path") which was also marked for + stable ] + +Reported-by: Dave Jones +Cc: Mel Gorman +Cc: KOSAKI Motohiro +Cc: Christoph Lameter +Cc: Andrea Arcangeli +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -3035,7 +3035,8 @@ int hugetlb_reserve_pages(struct inode * + region_add(&inode->i_mapping->private_list, from, to); + return 0; + out_err: +- resv_map_put(vma); ++ if (vma) ++ resv_map_put(vma); + return ret; + } + diff --git a/queue-3.4/series b/queue-3.4/series index 2d7ae4aab86..d7fddd4968d 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -32,3 +32,4 @@ drm-i915-adding-tv-out-missing-modes.patch drm-i915-wait-for-a-vblank-to-pass-after-tv-detect.patch drm-i915-no-lvds-quirk-for-hp-t5740e-thin-client.patch kbuild-install-kernel-page-flags.h.patch +mm-fix-vma_resv_map-null-pointer.patch -- 2.47.3