* [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173
@ 2015-03-20 7:49 Wang Long
2015-03-20 7:49 ` [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Wang Long
2015-05-04 13:48 ` [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Jiri Slaby
0 siblings, 2 replies; 3+ messages in thread
From: Wang Long @ 2015-03-20 7:49 UTC (permalink / raw)
To: gregkh, jslaby
Cc: linux-kernel, stable, long.wanglong, peifeiyue, sasha.levin, aarcange
Hi Greg and Jiri,
The following patch commit ee53664bda169f519ce3c6a22d378f0b946c8178
mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
fix CVE-2014-8173. I wish you could merge this fix into stable 3.10
and 3.12, because the linux kernel before 3.13 on NUMA systems
is affected by it.
Kirill A. Shutemov (1):
mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
include/asm-generic/pgtable.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--
1.8.3.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
2015-03-20 7:49 [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Wang Long
@ 2015-03-20 7:49 ` Wang Long
2015-05-04 13:48 ` [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Jiri Slaby
1 sibling, 0 replies; 3+ messages in thread
From: Wang Long @ 2015-03-20 7:49 UTC (permalink / raw)
To: gregkh, jslaby
Cc: linux-kernel, stable, long.wanglong, peifeiyue, sasha.levin, aarcange
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
commit ee53664bda169f519ce3c6a22d378f0b946c8178 upstream.
Sasha Levin found a NULL pointer dereference that is due to a missing
page table lock, which in turn is due to the pmd entry in question being
a transparent huge-table entry.
The code - introduced in commit 1998cc048901 ("mm: make
madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
turns out that that function doesn't work correctly.
pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
trigger if the transparent hugepage bit was set, but it doesn't do that
if pmd_numa() is also set. Note that the NUMA bit only gets set on real
NUMA machines, so people trying to reproduce this on most normal
development systems would never actually trigger this.
Fix it by removing the very subtle (and subtly incorrect) expectation,
and instead just checking pmd_trans_huge() explicitly.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
[ Additionally remove the now stale test for pmd_trans_huge() inside the
pmd_bad() case - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
include/asm-generic/pgtable.h | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
index 17bccd3..dd6d9b8 100644
--- a/include/asm-generic/pgtable.h
+++ b/include/asm-generic/pgtable.h
@@ -550,11 +550,10 @@ static inline int pmd_none_or_trans_huge_or_clear_bad(pmd_t *pmd)
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
barrier();
#endif
- if (pmd_none(pmdval))
+ if (pmd_none(pmdval) || pmd_trans_huge(pmdval))
return 1;
if (unlikely(pmd_bad(pmdval))) {
- if (!pmd_trans_huge(pmdval))
- pmd_clear_bad(pmd);
+ pmd_clear_bad(pmd);
return 1;
}
return 0;
--
1.8.3.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173
2015-03-20 7:49 [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Wang Long
2015-03-20 7:49 ` [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Wang Long
@ 2015-05-04 13:48 ` Jiri Slaby
1 sibling, 0 replies; 3+ messages in thread
From: Jiri Slaby @ 2015-05-04 13:48 UTC (permalink / raw)
To: Wang Long, gregkh; +Cc: linux-kernel, stable, peifeiyue, sasha.levin, aarcange
On 03/20/2015, 08:49 AM, Wang Long wrote:
> Hi Greg and Jiri,
>
> The following patch commit ee53664bda169f519ce3c6a22d378f0b946c8178
>
> mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
>
> fix CVE-2014-8173. I wish you could merge this fix into stable 3.10
> and 3.12, because the linux kernel before 3.13 on NUMA systems
> is affected by it.
Now applied to 3.12. Thanks!
--
js
suse labs
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-04 13:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-20 7:49 [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Wang Long
2015-03-20 7:49 ` [PATCH] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support Wang Long
2015-05-04 13:48 ` [request for stable inclusion 3.10 and 3.12] Fix CVE-2014-8173 Jiri Slaby
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.