From: Willy Tarreau <w@1wt.eu> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: Jan Beulich <JBeulich@suse.com>, Jan Beulich <jbeulich@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Andy Lutomirski <luto@amacapital.net>, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>, David Vrabel <david.vrabel@citrix.com>, Denys Vlasenko <dvlasenk@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>, Juergen Gross <JGross@suse.com>, Linus Torvalds <torvalds@linux-foundation.org>, "Luis R . Rodriguez" <mcgrof@suse.com>, Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Toshi Kani <toshi.kani@hp.com>, xen-devel <xen-devel@lists.xenproject.org>, Ingo Molnar <mingo@kernel.org>, Willy Tarreau <w@1wt.eu> Subject: [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests Date: Sun, 5 Feb 2017 20:20:19 +0100 [thread overview] Message-ID: <1486322486-8024-3-git-send-email-w@1wt.eu> (raw) In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu> From: Jan Beulich <JBeulich@suse.com> commit 103f6112f253017d7062cd74d17f4a514ed4485c upstream. Huge pages are not normally available to PV guests. Not suppressing hugetlbfs use results in an endless loop of page faults when user mode code tries to access a hugetlbfs mapped area (since the hypervisor denies such PTEs to be created, but error indications can't be propagated out of xen_set_pte_at(), just like for various of its siblings), and - once killed in an oops like this: kernel BUG at .../fs/hugetlbfs/inode.c:428! invalid opcode: 0000 [#1] SMP ... RIP: e030:[<ffffffff811c333b>] [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320 ... Call Trace: [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40 [<ffffffff81167b3d>] evict+0xbd/0x1b0 [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0 [<ffffffff81165b0e>] dput+0x1fe/0x220 [<ffffffff81150535>] __fput+0x155/0x200 [<ffffffff81079fc0>] task_work_run+0x60/0xa0 [<ffffffff81063510>] do_exit+0x160/0x400 [<ffffffff810637eb>] do_group_exit+0x3b/0xa0 [<ffffffff8106e8bd>] get_signal+0x1ed/0x470 [<ffffffff8100f854>] do_signal+0x14/0x110 [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0 [<ffffffff814178a5>] retint_user+0x8/0x13 This is CVE-2016-3961 / XSA-174. Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: David Vrabel <david.vrabel@citrix.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Juergen Gross <JGross@suse.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Toshi Kani <toshi.kani@hp.com> Cc: xen-devel <xen-devel@lists.xenproject.org> Link: http://lkml.kernel.org/r/57188ED802000078000E431C@prv-mh.provo.novell.com Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Willy Tarreau <w@1wt.eu> --- arch/x86/include/asm/hugetlb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h index 68c0539..7aadd3c 100644 --- a/arch/x86/include/asm/hugetlb.h +++ b/arch/x86/include/asm/hugetlb.h @@ -4,6 +4,7 @@ #include <asm/page.h> #include <asm-generic/hugetlb.h> +#define hugepages_supported() cpu_has_pse static inline int is_hugepage_only_range(struct mm_struct *mm, unsigned long addr, -- 2.8.0.rc2.1.gbe9624a
WARNING: multiple messages have this Message-ID (diff)
From: Willy Tarreau <w@1wt.eu> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux@roeck-us.net Cc: Juergen Gross <JGross@suse.com>, Denys Vlasenko <dvlasenk@redhat.com>, xen-devel <xen-devel@lists.xenproject.org>, Thomas Gleixner <tglx@linutronix.de>, Peter Zijlstra <peterz@infradead.org>, Brian Gerst <brgerst@gmail.com>, "Luis R . Rodriguez" <mcgrof@suse.com>, Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@amacapital.net>, Willy Tarreau <w@1wt.eu>, Borislav Petkov <bp@alien8.de>, David Vrabel <david.vrabel@citrix.com>, Jan Beulich <jbeulich@suse.com>, "H . Peter Anvin" <hpa@zytor.com>, Toshi Kani <toshi.kani@hp.com>, Andrew Morton <akpm@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org>, Boris Ostrovsky <boris.ostrovsky@oracle.com> Subject: [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests Date: Sun, 5 Feb 2017 20:20:19 +0100 [thread overview] Message-ID: <1486322486-8024-3-git-send-email-w@1wt.eu> (raw) In-Reply-To: <1486322486-8024-1-git-send-email-w@1wt.eu> From: Jan Beulich <JBeulich@suse.com> commit 103f6112f253017d7062cd74d17f4a514ed4485c upstream. Huge pages are not normally available to PV guests. Not suppressing hugetlbfs use results in an endless loop of page faults when user mode code tries to access a hugetlbfs mapped area (since the hypervisor denies such PTEs to be created, but error indications can't be propagated out of xen_set_pte_at(), just like for various of its siblings), and - once killed in an oops like this: kernel BUG at .../fs/hugetlbfs/inode.c:428! invalid opcode: 0000 [#1] SMP ... RIP: e030:[<ffffffff811c333b>] [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320 ... Call Trace: [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40 [<ffffffff81167b3d>] evict+0xbd/0x1b0 [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0 [<ffffffff81165b0e>] dput+0x1fe/0x220 [<ffffffff81150535>] __fput+0x155/0x200 [<ffffffff81079fc0>] task_work_run+0x60/0xa0 [<ffffffff81063510>] do_exit+0x160/0x400 [<ffffffff810637eb>] do_group_exit+0x3b/0xa0 [<ffffffff8106e8bd>] get_signal+0x1ed/0x470 [<ffffffff8100f854>] do_signal+0x14/0x110 [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0 [<ffffffff814178a5>] retint_user+0x8/0x13 This is CVE-2016-3961 / XSA-174. Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: David Vrabel <david.vrabel@citrix.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Juergen Gross <JGross@suse.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Toshi Kani <toshi.kani@hp.com> Cc: xen-devel <xen-devel@lists.xenproject.org> Link: http://lkml.kernel.org/r/57188ED802000078000E431C@prv-mh.provo.novell.com Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Willy Tarreau <w@1wt.eu> --- arch/x86/include/asm/hugetlb.h | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h index 68c0539..7aadd3c 100644 --- a/arch/x86/include/asm/hugetlb.h +++ b/arch/x86/include/asm/hugetlb.h @@ -4,6 +4,7 @@ #include <asm/page.h> #include <asm-generic/hugetlb.h> +#define hugepages_supported() cpu_has_pse static inline int is_hugepage_only_range(struct mm_struct *mm, unsigned long addr, -- 2.8.0.rc2.1.gbe9624a _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-02-05 19:24 UTC|newest] Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-02-05 19:20 [PATCH 3.10 030/319] PM / devfreq: Fix incorrect type issue Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 031/319] ppp: defer netns reference release for ppp channel Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau [this message] 2017-02-05 19:20 ` [PATCH 3.10 032/319] x86/mm/xen: Suppress hugetlbfs in PV guests Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 033/319] xen: Add RING_COPY_REQUEST() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 034/319] xen-netback: don't use last request to determine minimum Tx credit Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 035/319] xen-netback: use RING_COPY_REQUEST() throughout Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 036/319] xen-blkback: only read request operation from shared ring once Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 037/319] xen/pciback: Save xen_pci_op commands before processing it Willy Tarreau 2017-02-06 14:33 ` Konrad Rzeszutek Wilk 2017-02-06 22:33 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 038/319] xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 039/319] xen/pciback: Return error on XEN_PCI_OP_enable_msix " Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 040/319] xen/pciback: Do not install an IRQ handler for MSI interrupts Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 041/319] xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 042/319] xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 043/319] xen-pciback: Add name prefix to global 'permissive' variable Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 044/319] x86/xen: fix upper bound of pmd loop in xen_cleanhighmap() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 045/319] x86/traps: Ignore high word of regs->cs in early_idt_handler_common Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 046/319] x86/mm: Disable preemption during CR3 read+write Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 047/319] x86/apic: Do not init irq remapping if ioapic is disabled Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 048/319] x86/mm/pat, /dev/mem: Remove superfluous error message Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 049/319] x86/paravirt: Do not trace _paravirt_ident_*() functions Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 050/319] x86/build: Build compressed x86 kernels as PIE Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 051/319] x86/um: reuse asm-generic/barrier.h Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 052/319] iommu/amd: Update Alias-DTE in update_device_table() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 053/319] iommu/amd: Free domain id when free a domain of struct dma_ops_domain Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 054/319] ARM: 8616/1: dt: Respect property size when parsing CPUs Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 055/319] ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 056/319] ARM: sa1100: clear reset status prior to reboot Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 057/319] ARM: sa1111: fix pcmcia suspend/resume Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 058/319] arm64: avoid returning from bad_mode Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 059/319] arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO Willy Tarreau 2017-02-05 19:20 ` Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 060/319] arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 061/319] arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 062/319] MIPS: Malta: Fix IOCU disable switch read for MIPS64 Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 063/319] MIPS: ptrace: Fix regs_return_value for kernel context Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 064/319] powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 065/319] powerpc/vdso64: Use double word compare on pointers Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 066/319] powerpc/powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 067/319] powerpc/64: Fix incorrect return value from __copy_tofrom_user Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 068/319] powerpc/nvram: Fix an incorrect partition merge Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 069/319] avr32: fix copy_from_user() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 070/319] avr32: fix 'undefined reference to `___copy_from_user' Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 071/319] avr32: off by one in at32_init_pio() Willy Tarreau 2017-02-05 19:20 ` [PATCH 3.10 072/319] s390/dasd: fix hanging device after clear subchannel Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 073/319] parisc: Ensure consistent state when switching to kernel stack at syscall entry Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 074/319] microblaze: fix __get_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 075/319] microblaze: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 076/319] mn10300: failing __get_user() and get_user() should zero Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 077/319] m32r: fix __get_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 078/319] sh64: failing __get_user() should zero Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 079/319] score: fix __get_user/get_user Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 080/319] s390: get_user() should zero on failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 081/319] ARC: uaccess: get_user to zero out dest in cause of fault Willy Tarreau 2017-02-05 19:21 ` Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 082/319] asm-generic: make get_user() clear the destination on errors Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 083/319] frv: fix clear_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 084/319] cris: buggered copy_from_user/copy_to_user/clear_user Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 085/319] blackfin: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 086/319] score: fix copy_from_user() and friends Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 087/319] sh: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 088/319] hexagon: fix strncpy_from_user() error return Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 089/319] mips: copy_from_user() must zero the destination on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 090/319] asm-generic: make copy_from_user() zero the destination properly Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 091/319] alpha: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 092/319] metag: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 093/319] parisc: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 094/319] openrisc: " Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 095/319] openrisc: fix the fix of copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 096/319] mn10300: copy_from_user() should zero on access_ok() failure Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 097/319] sparc32: fix copy_from_user() Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 098/319] ppc32: " Willy Tarreau 2017-02-05 19:21 ` [PATCH 3.10 099/319] ia64: copy_from_user() should zero the destination on access_ok() failure Willy Tarreau
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1486322486-8024-3-git-send-email-w@1wt.eu \ --to=w@1wt.eu \ --cc=JBeulich@suse.com \ --cc=JGross@suse.com \ --cc=akpm@linux-foundation.org \ --cc=boris.ostrovsky@oracle.com \ --cc=bp@alien8.de \ --cc=brgerst@gmail.com \ --cc=david.vrabel@citrix.com \ --cc=dvlasenk@redhat.com \ --cc=hpa@zytor.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@roeck-us.net \ --cc=luto@amacapital.net \ --cc=mcgrof@suse.com \ --cc=mingo@kernel.org \ --cc=peterz@infradead.org \ --cc=stable@vger.kernel.org \ --cc=tglx@linutronix.de \ --cc=torvalds@linux-foundation.org \ --cc=toshi.kani@hp.com \ --cc=xen-devel@lists.xenproject.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.