[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.39 / patches.arch / ppc-valid-hugepage-size-hugetlb_get_unmapped_area.patch

Subject: Check for valid hugepage size in hugetlb_get_unmapped_area
From: Brian King <brking@linux.vnet.ibm.com>
References: 456433 - LTC50170

It looks like most of the hugetlb code is doing the correct thing if
hugepages are not supported, but the mmap code is not. If we get into
the mmap code when hugepages are not supported, such as in an LPAR
which is running Active Memory Sharing, we can oops the kernel. This
patch fixes the oops being seen in this path.

ops: Kernel access of bad area, sig: 11 [#1]
SMP NR_CPUS=1024 NUMA pSeries
Modules linked in: nfs(N) lockd(N) nfs_acl(N) sunrpc(N) ipv6(N) fuse(N) loop(N)
dm_mod(N) sg(N) ibmveth(N) sd_mod(N) crc_t10dif(N) ibmvscsic(N)
scsi_transport_srp(N) scsi_tgt(N) scsi_mod(N)
Supported: No
NIP: c000000000038d60 LR: c00000000003945c CTR: c0000000000393f0
REGS: c000000077e7b830 TRAP: 0300   Tainted: G
(2.6.27.5-bz50170-2-ppc64)
MSR: 8000000000009032 <EE,ME,IR,DR>  CR: 44000448  XER: 20000001
DAR: c000002000af90a8, DSISR: 0000000040000000
TASK = c00000007c1b8600[4019] 'hugemmap01' THREAD: c000000077e78000 CPU: 6
GPR00: 0000001fffffffe0 c000000077e7bab0 c0000000009a4e78 0000000000000000
GPR04: 0000000000010000 0000000000000001 00000000ffffffff 0000000000000001
GPR08: 0000000000000000 c000000000af90c8 0000000000000001 0000000000000000
GPR12: 000000000000003f c000000000a73880 0000000000000000 0000000000000000
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000010000
GPR20: 0000000000000000 0000000000000003 0000000000010000 0000000000000001
GPR24: 0000000000000003 0000000000000000 0000000000000001 ffffffffffffffb5
GPR28: c000000077ca2e80 0000000000000000 c00000000092af78 0000000000010000
NIP [c000000000038d60] .slice_get_unmapped_area+0x6c/0x4e0
LR [c00000000003945c] .hugetlb_get_unmapped_area+0x6c/0x80
Call Trace:
[c000000077e7bbc0] [c00000000003945c] .hugetlb_get_unmapped_area+0x6c/0x80
[c000000077e7bc30] [c000000000107e30] .get_unmapped_area+0x64/0xd8
[c000000077e7bcb0] [c00000000010b140] .do_mmap_pgoff+0x140/0x420
[c000000077e7bd80] [c00000000000bf5c] .sys_mmap+0xc4/0x140
[c000000077e7be30] [c0000000000086b4] syscall_exit+0x0/0x40
Instruction dump:
fac1ffb0 fae1ffb8 fb01ffc0 fb21ffc8 fb41ffd0 fb61ffd8 fb81ffe0 fbc1fff0
fbe1fff8 f821fef1 f8c10158 f8e10160 <7d49002e> f9010168 e92d01b0 eb4902b0

Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: Olaf Hering <olh@suse.de>

---
 arch/powerpc/mm/hugetlbpage.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/powerpc/mm/hugetlbpage.c
+++ b/arch/powerpc/mm/hugetlbpage.c
@@ -500,6 +500,9 @@ unsigned long hugetlb_get_unmapped_area(
 {
 	struct hstate *hstate = hstate_file(file);
 	int mmu_psize = shift_to_mmu_psize(huge_page_shift(hstate));
+
+	if (!mmu_huge_psizes[mmu_psize])
+		return -EINVAL;
 	return slice_get_unmapped_area(addr, len, flags, mmu_psize, 1, 0);
 }
Commit	Line	Data
2cb7cef9 BS	1	Subject: Check for valid hugepage size in hugetlb_get_unmapped_area
	2	From: Brian King <brking@linux.vnet.ibm.com>
	3	References: 456433 - LTC50170
	4
	5	It looks like most of the hugetlb code is doing the correct thing if
	6	hugepages are not supported, but the mmap code is not. If we get into
	7	the mmap code when hugepages are not supported, such as in an LPAR
	8	which is running Active Memory Sharing, we can oops the kernel. This
	9	patch fixes the oops being seen in this path.
	10
	11	ops: Kernel access of bad area, sig: 11 [#1]
	12	SMP NR_CPUS=1024 NUMA pSeries
	13	Modules linked in: nfs(N) lockd(N) nfs_acl(N) sunrpc(N) ipv6(N) fuse(N) loop(N)
	14	dm_mod(N) sg(N) ibmveth(N) sd_mod(N) crc_t10dif(N) ibmvscsic(N)
	15	scsi_transport_srp(N) scsi_tgt(N) scsi_mod(N)
	16	Supported: No
	17	NIP: c000000000038d60 LR: c00000000003945c CTR: c0000000000393f0
	18	REGS: c000000077e7b830 TRAP: 0300 Tainted: G
	19	(2.6.27.5-bz50170-2-ppc64)
	20	MSR: 8000000000009032 <EE,ME,IR,DR> CR: 44000448 XER: 20000001
	21	DAR: c000002000af90a8, DSISR: 0000000040000000
	22	TASK = c00000007c1b8600[4019] 'hugemmap01' THREAD: c000000077e78000 CPU: 6
	23	GPR00: 0000001fffffffe0 c000000077e7bab0 c0000000009a4e78 0000000000000000
	24	GPR04: 0000000000010000 0000000000000001 00000000ffffffff 0000000000000001
	25	GPR08: 0000000000000000 c000000000af90c8 0000000000000001 0000000000000000
	26	GPR12: 000000000000003f c000000000a73880 0000000000000000 0000000000000000
	27	GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000010000
	28	GPR20: 0000000000000000 0000000000000003 0000000000010000 0000000000000001
	29	GPR24: 0000000000000003 0000000000000000 0000000000000001 ffffffffffffffb5
	30	GPR28: c000000077ca2e80 0000000000000000 c00000000092af78 0000000000010000
	31	NIP [c000000000038d60] .slice_get_unmapped_area+0x6c/0x4e0
	32	LR [c00000000003945c] .hugetlb_get_unmapped_area+0x6c/0x80
	33	Call Trace:
	34	[c000000077e7bbc0] [c00000000003945c] .hugetlb_get_unmapped_area+0x6c/0x80
	35	[c000000077e7bc30] [c000000000107e30] .get_unmapped_area+0x64/0xd8
	36	[c000000077e7bcb0] [c00000000010b140] .do_mmap_pgoff+0x140/0x420
	37	[c000000077e7bd80] [c00000000000bf5c] .sys_mmap+0xc4/0x140
	38	[c000000077e7be30] [c0000000000086b4] syscall_exit+0x0/0x40
	39	Instruction dump:
	40	fac1ffb0 fae1ffb8 fb01ffc0 fb21ffc8 fb41ffd0 fb61ffd8 fb81ffe0 fbc1fff0
	41	fbe1fff8 f821fef1 f8c10158 f8e10160 <7d49002e> f9010168 e92d01b0 eb4902b0
	42
	43	Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
	44	Signed-off-by: Olaf Hering <olh@suse.de>
	45
	46	---
	47	arch/powerpc/mm/hugetlbpage.c \| 3 +++
	48	1 file changed, 3 insertions(+)
	49
	50	--- a/arch/powerpc/mm/hugetlbpage.c
	51	+++ b/arch/powerpc/mm/hugetlbpage.c
	52	@@ -500,6 +500,9 @@ unsigned long hugetlb_get_unmapped_area(
	53	{
	54	struct hstate *hstate = hstate_file(file);
	55	int mmu_psize = shift_to_mmu_psize(huge_page_shift(hstate));
	56	+
	57	+ if (!mmu_huge_psizes[mmu_psize])
	58	+ return -EINVAL;
	59	return slice_get_unmapped_area(addr, len, flags, mmu_psize, 1, 0);
	60	}
	61