diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-15 13:57:29 +0100 |
---|---|---|
committer | Zhenhua Luo <zhenhua.luo@nxp.com> | 2015-12-21 13:55:31 +0800 |
commit | f297dfce5ef0fe2d1247b8f167beca1389e1a355 (patch) | |
tree | 20c09b7e8f298c9296f0b185354159f22966e766 | |
parent | 23af7623411731ab63152703d48ed2c8c3931668 (diff) | |
download | meta-fsl-ppc-f297dfce5ef0fe2d1247b8f167beca1389e1a355.tar.gz |
mm: CVE-2014-312
try_to_unmap_cluster() should lock_page() before mlocking
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/patch
/?id=400fc13141fe947c38e8485ee9d37066d4533363
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Zhenhua Luo <zhenhua.luo@nxp.com>
-rw-r--r-- | recipes-kernel/linux/files/mm-CVE-2014-3122.patch | 98 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bb | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/mm-CVE-2014-3122.patch b/recipes-kernel/linux/files/mm-CVE-2014-3122.patch new file mode 100644 index 0000000..537d01b --- /dev/null +++ b/recipes-kernel/linux/files/mm-CVE-2014-3122.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | commit 400fc13141fe947c38e8485ee9d37066d4533363 | ||
2 | Author: Vlastimil Babka <vbabka@suse.cz> | ||
3 | Date: Mon Apr 7 15:37:50 2014 -0700 | ||
4 | Subject: mm: try_to_unmap_cluster() should lock_page() before mlocking | ||
5 | |||
6 | commit 57e68e9cd65b4b8eb4045a1e0d0746458502554c upstream. | ||
7 | |||
8 | A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin | ||
9 | fuzzing with trinity. The call site try_to_unmap_cluster() does not lock | ||
10 | the pages other than its check_page parameter (which is already locked). | ||
11 | |||
12 | The BUG_ON in mlock_vma_page() is not documented and its purpose is | ||
13 | somewhat unclear, but apparently it serializes against page migration, | ||
14 | which could otherwise fail to transfer the PG_mlocked flag. This would | ||
15 | not be fatal, as the page would be eventually encountered again, but | ||
16 | NR_MLOCK accounting would become distorted nevertheless. This patch adds | ||
17 | a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that | ||
18 | effect. | ||
19 | |||
20 | The call site try_to_unmap_cluster() is fixed so that for page != | ||
21 | check_page, trylock_page() is attempted (to avoid possible deadlocks as we | ||
22 | already have check_page locked) and mlock_vma_page() is performed only | ||
23 | upon success. If the page lock cannot be obtained, the page is left | ||
24 | without PG_mlocked, which is again not a problem in the whole unevictable | ||
25 | memory design. | ||
26 | |||
27 | Fixes CVE-2014-3122 | ||
28 | Upstream-Status: Backport | ||
29 | |||
30 | Signed-off-by: Vlastimil Babka <vbabka@suse.cz> | ||
31 | Signed-off-by: Bob Liu <bob.liu@oracle.com> | ||
32 | Reported-by: Sasha Levin <sasha.levin@oracle.com> | ||
33 | Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com> | ||
34 | Cc: Michel Lespinasse <walken@google.com> | ||
35 | Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> | ||
36 | Acked-by: Rik van Riel <riel@redhat.com> | ||
37 | Cc: David Rientjes <rientjes@google.com> | ||
38 | Cc: Mel Gorman <mgorman@suse.de> | ||
39 | Cc: Hugh Dickins <hughd@google.com> | ||
40 | Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> | ||
41 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | ||
42 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
43 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
44 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
45 | --- | ||
46 | mm/mlock.c | 2 ++ | ||
47 | mm/rmap.c | 14 ++++++++++++-- | ||
48 | 2 files changed, 14 insertions(+), 2 deletions(-) | ||
49 | |||
50 | diff --git a/mm/mlock.c b/mm/mlock.c | ||
51 | index 192e6ee..1b12dfa 100644 | ||
52 | --- a/mm/mlock.c | ||
53 | +++ b/mm/mlock.c | ||
54 | @@ -79,6 +79,7 @@ void clear_page_mlock(struct page *page) | ||
55 | */ | ||
56 | void mlock_vma_page(struct page *page) | ||
57 | { | ||
58 | + /* Serialize with page migration */ | ||
59 | BUG_ON(!PageLocked(page)); | ||
60 | |||
61 | if (!TestSetPageMlocked(page)) { | ||
62 | @@ -153,6 +154,7 @@ unsigned int munlock_vma_page(struct page *page) | ||
63 | { | ||
64 | unsigned int nr_pages; | ||
65 | |||
66 | + /* For try_to_munlock() and to serialize with page migration */ | ||
67 | BUG_ON(!PageLocked(page)); | ||
68 | |||
69 | if (TestClearPageMlocked(page)) { | ||
70 | diff --git a/mm/rmap.c b/mm/rmap.c | ||
71 | index b9d2222..6e31398 100644 | ||
72 | --- a/mm/rmap.c | ||
73 | +++ b/mm/rmap.c | ||
74 | @@ -1392,9 +1392,19 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount, | ||
75 | BUG_ON(!page || PageAnon(page)); | ||
76 | |||
77 | if (locked_vma) { | ||
78 | - mlock_vma_page(page); /* no-op if already mlocked */ | ||
79 | - if (page == check_page) | ||
80 | + if (page == check_page) { | ||
81 | + /* we know we have check_page locked */ | ||
82 | + mlock_vma_page(page); | ||
83 | ret = SWAP_MLOCK; | ||
84 | + } else if (trylock_page(page)) { | ||
85 | + /* | ||
86 | + * If we can lock the page, perform mlock. | ||
87 | + * Otherwise leave the page alone, it will be | ||
88 | + * eventually encountered again later. | ||
89 | + */ | ||
90 | + mlock_vma_page(page); | ||
91 | + unlock_page(page); | ||
92 | + } | ||
93 | continue; /* don't unmap */ | ||
94 | } | ||
95 | |||
96 | -- | ||
97 | 1.9.1 | ||
98 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 33bcd37..f078518 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb | |||
@@ -33,6 +33,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ | |||
33 | file://target-CVE-2014-4027.patch \ | 33 | file://target-CVE-2014-4027.patch \ |
34 | file://fs-isofs-CVE-2014-9420.patch \ | 34 | file://fs-isofs-CVE-2014-9420.patch \ |
35 | file://udp-CVE-2015-5364_CVE-2015-5366.patch \ | 35 | file://udp-CVE-2015-5364_CVE-2015-5366.patch \ |
36 | file://mm-CVE-2014-3122.patch \ | ||
36 | " | 37 | " |
37 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" | 38 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" |
38 | 39 | ||