From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Fan Yang <Fan_Yang@sjtu.edu.cn>,
Dan Williams <dan.j.williams@intel.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.7 02/14] mm: Fix mremap not considering huge pmd devmap
Date: Fri, 5 Jun 2020 16:14:52 +0200 [thread overview]
Message-ID: <20200605135951.176220041@linuxfoundation.org> (raw)
In-Reply-To: <20200605135951.018731965@linuxfoundation.org>
From: Fan Yang <Fan_Yang@sjtu.edu.cn>
commit 5bfea2d9b17f1034a68147a8b03b9789af5700f9 upstream.
The original code in mm/mremap.c checks huge pmd by:
if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
However, a DAX mapped nvdimm is mapped as huge page (by default) but it
is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit
changes the condition to include the case.
This addresses CVE-2020-10757.
Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd")
Cc: <stable@vger.kernel.org>
Reported-by: Fan Yang <Fan_Yang@sjtu.edu.cn>
Signed-off-by: Fan Yang <Fan_Yang@sjtu.edu.cn>
Tested-by: Fan Yang <Fan_Yang@sjtu.edu.cn>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/pgtable.h | 1 +
mm/mremap.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -257,6 +257,7 @@ static inline int pmd_large(pmd_t pte)
}
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+/* NOTE: when predicate huge page, consider also pmd_devmap, or use pmd_large */
static inline int pmd_trans_huge(pmd_t pmd)
{
return (pmd_val(pmd) & (_PAGE_PSE|_PAGE_DEVMAP)) == _PAGE_PSE;
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -266,7 +266,7 @@ unsigned long move_page_tables(struct vm
new_pmd = alloc_new_pmd(vma->vm_mm, vma, new_addr);
if (!new_pmd)
break;
- if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) {
+ if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd) || pmd_devmap(*old_pmd)) {
if (extent == HPAGE_PMD_SIZE) {
bool moved;
/* See comment in move_ptes() */
next prev parent reply other threads:[~2020-06-05 14:16 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-05 14:14 [PATCH 5.7 00/14] 5.7.1-rc1 review Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.7 01/14] media: dvbdev: Fix tuner->demod media controller link Greg Kroah-Hartman
2020-06-05 14:14 ` Greg Kroah-Hartman [this message]
2020-06-05 14:14 ` [PATCH 5.7 03/14] HID: sony: Fix for broken buttons on DS3 USB dongles Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.7 04/14] HID: multitouch: enable multi-input as a quirk for some devices Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.7 05/14] HID: i2c-hid: add Schneider SCL142ALM to descriptor override Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.7 06/14] p54usb: add AirVasT USB stick device-id Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.7 07/14] mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.7 08/14] crypto: api - Fix use-after-free and race in crypto_spawn_alg Greg Kroah-Hartman
2020-06-05 14:14 ` [PATCH 5.7 09/14] kernel/relay.c: handle alloc_percpu returning NULL in relay_open Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.7 10/14] mmc: fix compilation of user API Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.7 11/14] media: Revert "staging: imgu: Address a compiler warning on alignment" Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.7 12/14] media: staging: ipu3-imgu: Move alignment attribute to field Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.7 13/14] net: dsa: mt7530: set CPU port to fallback mode Greg Kroah-Hartman
2020-06-05 14:15 ` [PATCH 5.7 14/14] airo: Fix read overflows sending packets Greg Kroah-Hartman
2020-06-05 22:11 ` [PATCH 5.7 00/14] 5.7.1-rc1 review Shuah Khan
2020-06-07 11:18 ` Greg Kroah-Hartman
[not found] ` <20200605135951.018731965-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-06-06 6:28 ` Jon Hunter
2020-06-06 6:28 ` Jon Hunter
2020-06-06 13:34 ` Guenter Roeck
2020-06-07 11:19 ` Greg Kroah-Hartman
2020-06-06 15:49 ` Naresh Kamboju
2020-06-07 11:20 ` Greg Kroah-Hartman
2020-06-07 20:21 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605135951.176220041@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Fan_Yang@sjtu.edu.cn \
--cc=dan.j.williams@intel.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.