src/patches/suse-2.6.27.39/patches.arch/ppc-valid-hugepage-size-hugetlb_get_unmapped_area.patch

   1 Subject: Check for valid hugepage size in hugetlb_get_unmapped_area
   2 From: Brian King <brking@linux.vnet.ibm.com>
   3 References: 456433 - LTC50170
   4
   5 It looks like most of the hugetlb code is doing the correct thing if
   6 hugepages are not supported, but the mmap code is not. If we get into
   7 the mmap code when hugepages are not supported, such as in an LPAR
   8 which is running Active Memory Sharing, we can oops the kernel. This
   9 patch fixes the oops being seen in this path.
  10
  11 ops: Kernel access of bad area, sig: 11 [#1]
  12 SMP NR_CPUS=1024 NUMA pSeries
  13 Modules linked in: nfs(N) lockd(N) nfs_acl(N) sunrpc(N) ipv6(N) fuse(N) loop(N)
  14 dm_mod(N) sg(N) ibmveth(N) sd_mod(N) crc_t10dif(N) ibmvscsic(N)
  15 scsi_transport_srp(N) scsi_tgt(N) scsi_mod(N)
  16 Supported: No
  17 NIP: c000000000038d60 LR: c00000000003945c CTR: c0000000000393f0
  18 REGS: c000000077e7b830 TRAP: 0300   Tainted: G
  19 (2.6.27.5-bz50170-2-ppc64)
  20 MSR: 8000000000009032 <EE,ME,IR,DR>  CR: 44000448  XER: 20000001
  21 DAR: c000002000af90a8, DSISR: 0000000040000000
  22 TASK = c00000007c1b8600[4019] 'hugemmap01' THREAD: c000000077e78000 CPU: 6
  23 GPR00: 0000001fffffffe0 c000000077e7bab0 c0000000009a4e78 0000000000000000
  24 GPR04: 0000000000010000 0000000000000001 00000000ffffffff 0000000000000001
  25 GPR08: 0000000000000000 c000000000af90c8 0000000000000001 0000000000000000
  26 GPR12: 000000000000003f c000000000a73880 0000000000000000 0000000000000000
  27 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000010000
  28 GPR20: 0000000000000000 0000000000000003 0000000000010000 0000000000000001
  29 GPR24: 0000000000000003 0000000000000000 0000000000000001 ffffffffffffffb5
  30 GPR28: c000000077ca2e80 0000000000000000 c00000000092af78 0000000000010000
  31 NIP [c000000000038d60] .slice_get_unmapped_area+0x6c/0x4e0
  32 LR [c00000000003945c] .hugetlb_get_unmapped_area+0x6c/0x80
  33 Call Trace:
  34 [c000000077e7bbc0] [c00000000003945c] .hugetlb_get_unmapped_area+0x6c/0x80
  35 [c000000077e7bc30] [c000000000107e30] .get_unmapped_area+0x64/0xd8
  36 [c000000077e7bcb0] [c00000000010b140] .do_mmap_pgoff+0x140/0x420
  37 [c000000077e7bd80] [c00000000000bf5c] .sys_mmap+0xc4/0x140
  38 [c000000077e7be30] [c0000000000086b4] syscall_exit+0x0/0x40
  39 Instruction dump:
  40 fac1ffb0 fae1ffb8 fb01ffc0 fb21ffc8 fb41ffd0 fb61ffd8 fb81ffe0 fbc1fff0
  41 fbe1fff8 f821fef1 f8c10158 f8e10160 <7d49002e> f9010168 e92d01b0 eb4902b0
  42
  43 Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
  44 Signed-off-by: Olaf Hering <olh@suse.de>
  45
  46 ---
  47  arch/powerpc/mm/hugetlbpage.c |    3 +++
  48  1 file changed, 3 insertions(+)
  49
  50 --- a/arch/powerpc/mm/hugetlbpage.c
  51 +++ b/arch/powerpc/mm/hugetlbpage.c
  52 @@ -500,6 +500,9 @@ unsigned long hugetlb_get_unmapped_area(
  53  {
  54         struct hstate *hstate = hstate_file(file);
  55         int mmu_psize = shift_to_mmu_psize(huge_page_shift(hstate));
  56 +
  57 +       if (!mmu_huge_psizes[mmu_psize])
  58 +               return -EINVAL;
  59         return slice_get_unmapped_area(addr, len, flags, mmu_psize, 1, 0);
  60  }
  61