diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-11-27 12:54:04 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-11-27 18:19:48 +0100 |
commit | 51e9248e1748fcd3992cf47f6ecf9a3cb776c998 (patch) | |
tree | e28f4ffc4c6531f4dc3e33272be374ec6a4d38b5 | |
parent | b03530492a27f14a49010d411e9b8d753b7fe48a (diff) | |
download | meta-enea-51e9248e1748fcd3992cf47f6ecf9a3cb776c998.tar.gz |
linux-qoriq: mm: CVE-2014-3122
try_to_unmap_cluster() should lock_page() before mlocking
Reference
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/mm-CVE-2014-3122.patch | 97 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq-common.inc | 5 |
2 files changed, 101 insertions, 1 deletions
diff --git a/recipes-kernel/linux/files/mm-CVE-2014-3122.patch b/recipes-kernel/linux/files/mm-CVE-2014-3122.patch new file mode 100644 index 0000000..609927a --- /dev/null +++ b/recipes-kernel/linux/files/mm-CVE-2014-3122.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | commit 400fc13141fe947c38e8485ee9d37066d4533363 | ||
2 | Author: Vlastimil Babka <vbabka@suse.cz> | ||
3 | Date: Mon Apr 7 15:37:50 2014 -0700 | ||
4 | |||
5 | commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream. | ||
6 | |||
7 | A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin | ||
8 | fuzzing with trinity. The call site try_to_unmap_cluster() does not lock | ||
9 | the pages other than its check_page parameter (which is already locked). | ||
10 | |||
11 | The BUG_ON in mlock_vma_page() is not documented and its purpose is | ||
12 | somewhat unclear, but apparently it serializes against page migration, | ||
13 | which could otherwise fail to transfer the PG_mlocked flag. This would | ||
14 | not be fatal, as the page would be eventually encountered again, but | ||
15 | NR_MLOCK accounting would become distorted nevertheless. This patch adds | ||
16 | a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that | ||
17 | effect. | ||
18 | |||
19 | The call site try_to_unmap_cluster() is fixed so that for page != | ||
20 | check_page, trylock_page() is attempted (to avoid possible deadlocks as we | ||
21 | already have check_page locked) and mlock_vma_page() is performed only | ||
22 | upon success. If the page lock cannot be obtained, the page is left | ||
23 | without PG_mlocked, which is again not a problem in the whole unevictable | ||
24 | memory design. | ||
25 | |||
26 | Fixes CVE-2014-3122 | ||
27 | Upstream-Status: Backport | ||
28 | |||
29 | Signed-off-by: Vlastimil Babka <vbabka@suse.cz> | ||
30 | Signed-off-by: Bob Liu <bob.liu@oracle.com> | ||
31 | Reported-by: Sasha Levin <sasha.levin@oracle.com> | ||
32 | Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com> | ||
33 | Cc: Michel Lespinasse <walken@google.com> | ||
34 | Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> | ||
35 | Acked-by: Rik van Riel <riel@redhat.com> | ||
36 | Cc: David Rientjes <rientjes@google.com> | ||
37 | Cc: Mel Gorman <mgorman@suse.de> | ||
38 | Cc: Hugh Dickins <hughd@google.com> | ||
39 | Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> | ||
40 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | ||
41 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
42 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
43 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
44 | --- | ||
45 | mm/mlock.c | 2 ++ | ||
46 | mm/rmap.c | 14 ++++++++++++-- | ||
47 | 2 files changed, 14 insertions(+), 2 deletions(-) | ||
48 | |||
49 | diff --git a/mm/mlock.c b/mm/mlock.c | ||
50 | index 192e6ee..1b12dfa 100644 | ||
51 | --- a/mm/mlock.c | ||
52 | +++ b/mm/mlock.c | ||
53 | @@ -79,6 +79,7 @@ void clear_page_mlock(struct page *page) | ||
54 | */ | ||
55 | void mlock_vma_page(struct page *page) | ||
56 | { | ||
57 | + /* Serialize with page migration */ | ||
58 | BUG_ON(!PageLocked(page)); | ||
59 | |||
60 | if (!TestSetPageMlocked(page)) { | ||
61 | @@ -153,6 +154,7 @@ unsigned int munlock_vma_page(struct page *page) | ||
62 | { | ||
63 | unsigned int nr_pages; | ||
64 | |||
65 | + /* For try_to_munlock() and to serialize with page migration */ | ||
66 | BUG_ON(!PageLocked(page)); | ||
67 | |||
68 | if (TestClearPageMlocked(page)) { | ||
69 | diff --git a/mm/rmap.c b/mm/rmap.c | ||
70 | index b9d2222..6e31398 100644 | ||
71 | --- a/mm/rmap.c | ||
72 | +++ b/mm/rmap.c | ||
73 | @@ -1392,9 +1392,19 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount, | ||
74 | BUG_ON(!page || PageAnon(page)); | ||
75 | |||
76 | if (locked_vma) { | ||
77 | - mlock_vma_page(page); /* no-op if already mlocked */ | ||
78 | - if (page == check_page) | ||
79 | + if (page == check_page) { | ||
80 | + /* we know we have check_page locked */ | ||
81 | + mlock_vma_page(page); | ||
82 | ret = SWAP_MLOCK; | ||
83 | + } else if (trylock_page(page)) { | ||
84 | + /* | ||
85 | + * If we can lock the page, perform mlock. | ||
86 | + * Otherwise leave the page alone, it will be | ||
87 | + * eventually encountered again later. | ||
88 | + */ | ||
89 | + mlock_vma_page(page); | ||
90 | + unlock_page(page); | ||
91 | + } | ||
92 | continue; /* don't unmap */ | ||
93 | } | ||
94 | |||
95 | -- | ||
96 | 1.9.1 | ||
97 | |||
diff --git a/recipes-kernel/linux/linux-qoriq-common.inc b/recipes-kernel/linux/linux-qoriq-common.inc index cbf16e3..d99bdef 100644 --- a/recipes-kernel/linux/linux-qoriq-common.inc +++ b/recipes-kernel/linux/linux-qoriq-common.inc | |||
@@ -3,7 +3,10 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | |||
3 | SRC_URI += "file://b4860-hard_irq_disable-bug.patch \ | 3 | SRC_URI += "file://b4860-hard_irq_disable-bug.patch \ |
4 | file://0001-sdhci-fix-Timeout-error-messages.patch \ | 4 | file://0001-sdhci-fix-Timeout-error-messages.patch \ |
5 | file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \ | 5 | file://powerpc-fsl-booke64-Set-vmemmap_psize-to-4K.patch \ |
6 | file://cfg/00013-localversion.cfg \ | 6 | file://mm-CVE-2014-3122.patch \ |
7 | " | ||
8 | |||
9 | SRC_URI += "file://cfg/00013-localversion.cfg \ | ||
7 | file://cfg/00006-with_modules.cfg \ | 10 | file://cfg/00006-with_modules.cfg \ |
8 | file://cfg/00001-embedded.cfg \ | 11 | file://cfg/00001-embedded.cfg \ |
9 | file://cfg/00012-preempt.cfg \ | 12 | file://cfg/00012-preempt.cfg \ |