From: Greg Kroah-Hartman Date: Fri, 19 Apr 2013 18:36:30 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.8.9~21^2~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6faf0c699a23a509f8a903b75f3110667c186eea;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch --- diff --git a/queue-3.0/hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch b/queue-3.0/hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch new file mode 100644 index 00000000000..57b5c5ee94a --- /dev/null +++ b/queue-3.0/hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch @@ -0,0 +1,75 @@ +From 9cc3a5bd40067b9a0fbd49199d0780463fc2140f Mon Sep 17 00:00:00 2001 +From: Naoya Horiguchi +Date: Wed, 17 Apr 2013 15:58:30 -0700 +Subject: hugetlbfs: add swap entry check in follow_hugetlb_page() + +From: Naoya Horiguchi + +commit 9cc3a5bd40067b9a0fbd49199d0780463fc2140f upstream. + +With applying the previous patch "hugetlbfs: stop setting VM_DONTDUMP in +initializing vma(VM_HUGETLB)" to reenable hugepage coredump, if a memory +error happens on a hugepage and the affected processes try to access the +error hugepage, we hit VM_BUG_ON(atomic_read(&page->_count) <= 0) in +get_page(). + +The reason for this bug is that coredump-related code doesn't recognise +"hugepage hwpoison entry" with which a pmd entry is replaced when a memory +error occurs on a hugepage. + +In other words, physical address information is stored in different bit +layout between hugepage hwpoison entry and pmd entry, so +follow_hugetlb_page() which is called in get_dump_page() returns a wrong +page from a given address. + +The expected behavior is like this: + + absent is_swap_pte FOLL_DUMP Expected behavior + ------------------------------------------------------------------- + true false false hugetlb_fault + false true false hugetlb_fault + false false false return page + true false true skip page (to avoid allocation) + false true true hugetlb_fault + false false true return page + +With this patch, we can call hugetlb_fault() and take proper actions (we +wait for migration entries, fail with VM_FAULT_HWPOISON_LARGE for +hwpoisoned entries,) and as the result we can dump all hugepages except +for hwpoisoned ones. + +Signed-off-by: Naoya Horiguchi +Cc: Rik van Riel +Acked-by: Michal Hocko +Cc: HATAYAMA Daisuke +Acked-by: KOSAKI Motohiro +Acked-by: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2800,7 +2800,17 @@ int follow_hugetlb_page(struct mm_struct + break; + } + +- if (absent || ++ /* ++ * We need call hugetlb_fault for both hugepages under migration ++ * (in which case hugetlb_fault waits for the migration,) and ++ * hwpoisoned hugepages (in which case we need to prevent the ++ * caller from accessing to them.) In order to do this, we use ++ * here is_swap_pte instead of is_hugetlb_entry_migration and ++ * is_hugetlb_entry_hwpoisoned. This is because it simply covers ++ * both cases, and because we can't follow correct pages ++ * directly from any kind of swap entries. ++ */ ++ if (absent || is_swap_pte(huge_ptep_get(pte)) || + ((flags & FOLL_WRITE) && !pte_write(huge_ptep_get(pte)))) { + int ret; + diff --git a/queue-3.0/kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch b/queue-3.0/kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch new file mode 100644 index 00000000000..f1f60994285 --- /dev/null +++ b/queue-3.0/kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch @@ -0,0 +1,50 @@ +From b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f Mon Sep 17 00:00:00 2001 +From: Emese Revfy +Date: Wed, 17 Apr 2013 15:58:36 -0700 +Subject: kernel/signal.c: stop info leak via the tkill and the tgkill syscalls + +From: Emese Revfy + +commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream. + +This fixes a kernel memory contents leak via the tkill and tgkill syscalls +for compat processes. + +This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field +when handling signals delivered from tkill. + +The place of the infoleak: + +int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) +{ + ... + put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr); + ... +} + +Signed-off-by: Emese Revfy +Reviewed-by: PaX Team +Signed-off-by: Kees Cook +Cc: Al Viro +Cc: Oleg Nesterov +Cc: "Eric W. Biederman" +Cc: Serge Hallyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/signal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -2664,7 +2664,7 @@ do_send_specific(pid_t tgid, pid_t pid, + + static int do_tkill(pid_t tgid, pid_t pid, int sig) + { +- struct siginfo info; ++ struct siginfo info = {}; + + info.si_signo = sig; + info.si_errno = 0; diff --git a/queue-3.0/series b/queue-3.0/series index 5e715a09778..8d7e100f858 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -1,3 +1,5 @@ hrtimer-don-t-reinitialize-a-cpu_base-lock-on-cpu_up.patch revert-8021q-fix-a-potential-use-after-free.patch can-sja1000-fix-handling-on-dt-properties-on-little-endian-systems.patch +hugetlbfs-add-swap-entry-check-in-follow_hugetlb_page.patch +kernel-signal.c-stop-info-leak-via-the-tkill-and-the-tgkill-syscalls.patch