All of lore.kernel.org
 help / color / mirror / Atom feed
* [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173
@ 2015-03-20  7:49 Wang Long
  2015-03-20  7:49 ` [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Wang Long
  2015-05-04 13:48 ` [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Jiri Slaby
  0 siblings, 2 replies; 3+ messages in thread
From: Wang Long @ 2015-03-20  7:49 UTC (permalink / raw)
  To: gregkh, jslaby
  Cc: linux-kernel, stable, long.wanglong, peifeiyue, sasha.levin, aarcange

Hi Greg and Jiri,

The following patch commit ee53664bda169f519ce3c6a22d378f0b946c8178

mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support

fix CVE-2014-8173. I wish you could merge this fix into stable 3.10
and 3.12, because the linux kernel before 3.13 on NUMA systems 
is affected by it.


Kirill A. Shutemov (1):
  mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support

 include/asm-generic/pgtable.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

-- 
1.8.3.4


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
  2015-03-20  7:49 [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Wang Long
@ 2015-03-20  7:49 ` Wang Long
  2015-05-04 13:48 ` [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Jiri Slaby
  1 sibling, 0 replies; 3+ messages in thread
From: Wang Long @ 2015-03-20  7:49 UTC (permalink / raw)
  To: gregkh, jslaby
  Cc: linux-kernel, stable, long.wanglong, peifeiyue, sasha.levin, aarcange

From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>

commit ee53664bda169f519ce3c6a22d378f0b946c8178 upstream.

Sasha Levin found a NULL pointer dereference that is due to a missing
page table lock, which in turn is due to the pmd entry in question being
a transparent huge-table entry.

The code - introduced in commit 1998cc048901 ("mm: make
madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
turns out that that function doesn't work correctly.

pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
trigger if the transparent hugepage bit was set, but it doesn't do that
if pmd_numa() is also set. Note that the NUMA bit only gets set on real
NUMA machines, so people trying to reproduce this on most normal
development systems would never actually trigger this.

Fix it by removing the very subtle (and subtly incorrect) expectation,
and instead just checking pmd_trans_huge() explicitly.

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
[ Additionally remove the now stale test for pmd_trans_huge() inside the
  pmd_bad() case - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 include/asm-generic/pgtable.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
index 17bccd3..dd6d9b8 100644
--- a/include/asm-generic/pgtable.h
+++ b/include/asm-generic/pgtable.h
@@ -550,11 +550,10 @@ static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t *pmd)
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
 	barrier();
 #endif
-	if (pmd_none(pmdval))
+	if (pmd_none(pmdval) || pmd_trans_huge(pmdval))
 		return 1;
 	if (unlikely(pmd_bad(pmdval))) {
-		if (!pmd_trans_huge(pmdval))
-			pmd_clear_bad(pmd);
+		pmd_clear_bad(pmd);
 		return 1;
 	}
 	return 0;
-- 
1.8.3.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173
  2015-03-20  7:49 [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Wang Long
  2015-03-20  7:49 ` [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Wang Long
@ 2015-05-04 13:48 ` Jiri Slaby
  1 sibling, 0 replies; 3+ messages in thread
From: Jiri Slaby @ 2015-05-04 13:48 UTC (permalink / raw)
  To: Wang Long, gregkh; +Cc: linux-kernel, stable, peifeiyue, sasha.levin, aarcange

On 03/20/2015, 08:49 AM, Wang Long wrote:
> Hi Greg and Jiri,
> 
> The following patch commit ee53664bda169f519ce3c6a22d378f0b946c8178
> 
> mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
> 
> fix CVE-2014-8173. I wish you could merge this fix into stable 3.10
> and 3.12, because the linux kernel before 3.13 on NUMA systems 
> is affected by it.

Now applied to 3.12. Thanks!

-- 
js
suse labs

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-04 13:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-20  7:49 [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Wang Long
2015-03-20  7:49 ` [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Wang Long
2015-05-04 13:48 ` [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Jiri Slaby

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.