[kernel] r11741 - in dists/etch/linux-2.6.24/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jul 1 14:43:25 UTC 2008
Author: dannf
Date: Tue Jul 1 14:43:24 2008
New Revision: 11741
Log:
Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP
(CVE-2008-2729)
Added:
dists/etch/linux-2.6.24/debian/patches/bugfix/reinstate-zero_page-optimization-in-get_user_pages-and-fix-xip.patch
Modified:
dists/etch/linux-2.6.24/debian/changelog
dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4
Modified: dists/etch/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch/linux-2.6.24/debian/changelog (original)
+++ dists/etch/linux-2.6.24/debian/changelog Tue Jul 1 14:43:24 2008
@@ -1,9 +1,11 @@
-linux-2.6.24 (2.6.24-6~etchnhalf.4) stable; urgency=low
+linux-2.6.24 (2.6.24-6~etchnhalf.4) UNRELEASED; urgency=low
* Fix potential overflow condition in sctp_getsockopt_local_addrs_old
(CVE-2008-2826)
+ * Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP
+ (CVE-2008-2729)
- -- dann frazier <dannf at debian.org> Tue, 01 Jul 2008 01:50:46 -0600
+ -- dann frazier <dannf at debian.org> Tue, 01 Jul 2008 02:15:43 -0600
linux-2.6.24 (2.6.24-6~etchnhalf.3) stable; urgency=low
Added: dists/etch/linux-2.6.24/debian/patches/bugfix/reinstate-zero_page-optimization-in-get_user_pages-and-fix-xip.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/reinstate-zero_page-optimization-in-get_user_pages-and-fix-xip.patch Tue Jul 1 14:43:24 2008
@@ -0,0 +1,134 @@
+commit 89f5b7da2a6bad2e84670422ab8192382a5aeb9f
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri Jun 20 11:18:25 2008 -0700
+
+ Reinstate ZERO_PAGE optimization in 'get_user_pages()' and fix XIP
+
+ KAMEZAWA Hiroyuki and Oleg Nesterov point out that since the commit
+ 557ed1fa2620dc119adb86b34c614e152a629a80 ("remove ZERO_PAGE") removed
+ the ZERO_PAGE from the VM mappings, any users of get_user_pages() will
+ generally now populate the VM with real empty pages needlessly.
+
+ We used to get the ZERO_PAGE when we did the "handle_mm_fault()", but
+ since fault handling no longer uses ZERO_PAGE for new anonymous pages,
+ we now need to handle that special case in follow_page() instead.
+
+ In particular, the removal of ZERO_PAGE effectively removed the core
+ file writing optimization where we would skip writing pages that had not
+ been populated at all, and increased memory pressure a lot by allocating
+ all those useless newly zeroed pages.
+
+ This reinstates the optimization by making the unmapped PTE case the
+ same as for a non-existent page table, which already did this correctly.
+
+ While at it, this also fixes the XIP case for follow_page(), where the
+ caller could not differentiate between the case of a page that simply
+ could not be used (because it had no "struct page" associated with it)
+ and a page that just wasn't mapped.
+
+ We do that by simply returning an error pointer for pages that could not
+ be turned into a "struct page *". The error is arbitrarily picked to be
+ EFAULT, since that was what get_user_pages() already used for the
+ equivalent IO-mapped page case.
+
+ [ Also removed an impossible test for pte_offset_map_lock() failing:
+ that's not how that function works ]
+
+ Acked-by: Oleg Nesterov <oleg at tv-sign.ru>
+ Acked-by: Nick Piggin <npiggin at suse.de>
+ Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu at jp.fujitsu.com>
+ Cc: Hugh Dickins <hugh at veritas.com>
+ Cc: Andrew Morton <akpm at linux-foundation.org>
+ Cc: Ingo Molnar <mingo at elte.hu>
+ Cc: Roland McGrath <roland at redhat.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/arch/powerpc/kernel/vdso.c linux-source-2.6.24/arch/powerpc/kernel/vdso.c
+--- linux-source-2.6.24.orig/arch/powerpc/kernel/vdso.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/arch/powerpc/kernel/vdso.c 2008-07-01 02:09:37.000000000 -0600
+@@ -141,7 +141,7 @@ static void dump_one_vdso_page(struct pa
+ printk("kpg: %p (c:%d,f:%08lx)", __va(page_to_pfn(pg) << PAGE_SHIFT),
+ page_count(pg),
+ pg->flags);
+- if (upg/* && pg != upg*/) {
++ if (upg && !IS_ERR(upg) /* && pg != upg*/) {
+ printk(" upg: %p (c:%d,f:%08lx)", __va(page_to_pfn(upg)
+ << PAGE_SHIFT),
+ page_count(upg),
+diff -urpN linux-source-2.6.24.orig/mm/memory.c linux-source-2.6.24/mm/memory.c
+--- linux-source-2.6.24.orig/mm/memory.c 2008-05-07 16:34:46.000000000 -0600
++++ linux-source-2.6.24/mm/memory.c 2008-07-01 02:09:37.000000000 -0600
+@@ -934,17 +934,15 @@ struct page *follow_page(struct vm_area_
+ }
+
+ ptep = pte_offset_map_lock(mm, pmd, address, &ptl);
+- if (!ptep)
+- goto out;
+
+ pte = *ptep;
+ if (!pte_present(pte))
+- goto unlock;
++ goto no_page;
+ if ((flags & FOLL_WRITE) && !pte_write(pte))
+ goto unlock;
+ page = vm_normal_page(vma, address, pte);
+ if (unlikely(!page))
+- goto unlock;
++ goto bad_page;
+
+ if (flags & FOLL_GET)
+ get_page(page);
+@@ -959,6 +957,15 @@ unlock:
+ out:
+ return page;
+
++bad_page:
++ pte_unmap_unlock(ptep, ptl);
++ return ERR_PTR(-EFAULT);
++
++no_page:
++ pte_unmap_unlock(ptep, ptl);
++ if (!pte_none(pte))
++ return page;
++ /* Fall through to ZERO_PAGE handling */
+ no_page_table:
+ /*
+ * When core dumping an enormous anonymous area that nobody
+@@ -1095,6 +1102,8 @@ int get_user_pages(struct task_struct *t
+
+ cond_resched();
+ }
++ if (IS_ERR(page))
++ return i ? i : PTR_ERR(page);
+ if (pages) {
+ pages[i] = page;
+
+diff -urpN linux-source-2.6.24.orig/mm/migrate.c linux-source-2.6.24/mm/migrate.c
+--- linux-source-2.6.24.orig/mm/migrate.c 2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/mm/migrate.c 2008-07-01 02:09:37.000000000 -0600
+@@ -823,6 +823,11 @@ static int do_move_pages(struct mm_struc
+ goto set_status;
+
+ page = follow_page(vma, pp->addr, FOLL_GET);
++
++ err = PTR_ERR(page);
++ if (IS_ERR(page))
++ goto set_status;
++
+ err = -ENOENT;
+ if (!page)
+ goto set_status;
+@@ -886,6 +891,11 @@ static int do_pages_stat(struct mm_struc
+ goto set_status;
+
+ page = follow_page(vma, pm->addr, 0);
++
++ err = PTR_ERR(page);
++ if (IS_ERR(page))
++ goto set_status;
++
+ err = -ENOENT;
+ /* Use PageReserved to check for zero page */
+ if (!page || PageReserved(page))
Modified: dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4
==============================================================================
--- dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4 (original)
+++ dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.4 Tue Jul 1 14:43:24 2008
@@ -1 +1,2 @@
+ bugfix/sctp-make-sure-n-sizeof-does-not-overflow.patch
++ bugfix/reinstate-zero_page-optimization-in-get_user_pages-and-fix-xip.patch
More information about the Kernel-svn-changes
mailing list