[linux] 04/06: mm: do not collapse stack gap into THP
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Jun 19 15:38:08 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 909faf0f905a4741d8298692417ca77d67933e8d
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Jun 16 11:34:02 2017 +0200
mm: do not collapse stack gap into THP
---
debian/changelog | 1 +
.../mm-do-not-collapse-stack-gap-into-THP.patch | 52 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 54 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index bd93fcf..9c8c51e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -25,6 +25,7 @@ linux (3.16.43-2+deb8u1) UNRELEASED; urgency=medium
* mm: enlarge stack guard gap (CVE-2017-1000364)
* mm: allow to configure stack gap size
* mm, proc: cap the stack gap for unpopulated growing vmas
+ * mm: do not collapse stack gap into THP
-- Ben Hutchings <ben at decadent.org.uk> Wed, 31 May 2017 11:52:42 +0100
diff --git a/debian/patches/bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch b/debian/patches/bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch
new file mode 100644
index 0000000..574e02d
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch
@@ -0,0 +1,52 @@
+From: Michal Hocko <mhocko at suse.com>
+Date: Wed, 14 Jun 2017 08:18:00 +0200
+Subject: mm: do not collapse stack gap into THP
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000364
+
+Oleg has noticed that khugepaged will happilly collapse stack vma (as
+long as it is not an early stack - see is_vma_temporary_stack) and
+it might effectively remove the stack gap area as well because a larger
+part of the stack vma is usually populated. The same applies to the
+page fault handler.
+
+Fix this by checking stack_guard_area when revalidating a VMA
+in hugepage_vma_revalidate. We do not want to hook/replace
+is_vma_temporary_stack() check because THP might be still useful for
+stack, all we need is excluding the gap from collapsing into a THP.
+
+Also check the to-be-created THP in do_huge_pmd_anonymous_page to
+make sure it is completely outside of the gap area because we we could
+create THP covering the gap area.
+
+Noticed-by: Oleg Nesterov <oleg at redhat.com>
+Signed-off-by: Michal Hocko <mhocko at suse.com>
+[carnil: backport to 3.16: move stack_guard_area check to huge_memory.c
+in collapse_huge_page]
+---
+ mm/huge_memory.c | 3 +++
+ mm/khugepaged.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -792,6 +792,9 @@ int do_huge_pmd_anonymous_page(struct mm
+
+ if (haddr < vma->vm_start || haddr + HPAGE_PMD_SIZE > vma->vm_end)
+ return VM_FAULT_FALLBACK;
++ if (stack_guard_area(vma, haddr) ||
++ stack_guard_area(vma, haddr + HPAGE_PMD_SIZE))
++ return VM_FAULT_FALLBACK;
+ if (unlikely(anon_vma_prepare(vma)))
+ return VM_FAULT_OOM;
+ if (unlikely(khugepaged_enter(vma, vma->vm_flags)))
+@@ -2435,6 +2438,10 @@ static void collapse_huge_page(struct mm
+ goto out;
+ if (!hugepage_vma_check(vma))
+ goto out;
++
++ /* never try to collapse stack gap */
++ if (stack_guard_area(vma, hstart) || stack_guard_area(vma, hend))
++ goto out;
+ pmd = mm_find_pmd(mm, address);
+ if (!pmd)
+ goto out;
diff --git a/debian/patches/series b/debian/patches/series
index cf6d37b..74d634b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -713,6 +713,7 @@ bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
bugfix/all/mm-enlarge-stack-guard-gap.patch
bugfix/all/mm-allow-to-configure-stack-gap-size.patch
bugfix/all/mm-proc-cap-the-stack-gap-for-unpopulated-growing-vm.patch
+bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list