mm: CVE-2014-312

try_to_unmap_cluster() should lock_page() before mlocking

Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch
/?id=400fc13141fe947c38e8485ee9d37066d4533363

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>

2 files changed, 99 insertions, 0 deletions

diff --git a/recipes-kernel/linux/files/mm-CVE-2014-3122.patch b/recipes-kernel/linux/files/mm-CVE-2014-3122.patch
new file mode 100644
index 0000000..537d01b
--- /dev/null
+++ b/recipes-kernel/linux/files/mm-CVE-2014-3122.patch
@@ -0,0 +1,98 @@
+commit 400fc13141fe947c38e8485ee9d37066d4533363
+Author: Vlastimil Babka <vbabka@suse.cz>
+Date:   Mon Apr 7 15:37:50 2014 -0700
+Subject: mm: try_to_unmap_cluster() should lock_page() before mlocking
+
+commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream.
+
+A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin
+fuzzing with trinity.  The call site try_to_unmap_cluster() does not lock
+the pages other than its check_page parameter (which is already locked).
+
+The BUG_ON in mlock_vma_page() is not documented and its purpose is
+somewhat unclear, but apparently it serializes against page migration,
+which could otherwise fail to transfer the PG_mlocked flag.  This would
+not be fatal, as the page would be eventually encountered again, but
+NR_MLOCK accounting would become distorted nevertheless.  This patch adds
+a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that
+effect.
+
+The call site try_to_unmap_cluster() is fixed so that for page !=
+check_page, trylock_page() is attempted (to avoid possible deadlocks as we
+already have check_page locked) and mlock_vma_page() is performed only
+upon success.  If the page lock cannot be obtained, the page is left
+without PG_mlocked, which is again not a problem in the whole unevictable
+memory design.
+
+Fixes CVE-2014-3122
+Upstream-Status: Backport
+
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Bob Liu <bob.liu@oracle.com>
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Acked-by: Rik van Riel <riel@redhat.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Mel Gorman <mgorman@suse.de>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ mm/mlock.c |  2 ++
+ mm/rmap.c  | 14 ++++++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/mm/mlock.c b/mm/mlock.c
+index 192e6ee..1b12dfa 100644
+--- a/mm/mlock.c
++++ b/mm/mlock.c
+@@ -79,6 +79,7 @@ void clear_page_mlock(struct page *page)
+  */
+ void mlock_vma_page(struct page *page)
+ {
++       /* Serialize with page migration */
+        BUG_ON(!PageLocked(page));
+ 
+        if (!TestSetPageMlocked(page)) {
+@@ -153,6 +154,7 @@ unsigned int munlock_vma_page(struct page *page)
+ {
+        unsigned int nr_pages;
+ 
++       /* For try_to_munlock() and to serialize with page migration */
+        BUG_ON(!PageLocked(page));
+ 
+        if (TestClearPageMlocked(page)) {
+diff --git a/mm/rmap.c b/mm/rmap.c
+index b9d2222..6e31398 100644
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1392,9 +1392,19 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount,
+                BUG_ON(!page || PageAnon(page));
+ 
+                if (locked_vma) {
+-                       mlock_vma_page(page);   /* no-op if already mlocked */
+-                       if (page == check_page)
++                       if (page == check_page) {
++                               /* we know we have check_page locked */
++                               mlock_vma_page(page);
+                                ret = SWAP_MLOCK;
++                       } else if (trylock_page(page)) {
++                               /*
++                                * If we can lock the page, perform mlock.
++                                * Otherwise leave the page alone, it will be
++                                * eventually encountered again later.
++                                */
++                               mlock_vma_page(page);
++                               unlock_page(page);
++                       }
+                        continue;       /* don't unmap */
+                }
+ 
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 33bcd37..f078518 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -33,6 +33,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://target-CVE-2014-4027.patch \
     file://fs-isofs-CVE-2014-9420.patch \
     file://udp-CVE-2015-5364_CVE-2015-5366.patch \
+    file://mm-CVE-2014-3122.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"