[linux] 05/07: mm: do not collapse stack gap into THP

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon Jun 19 15:38:53 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch stretch-security
in repository linux.

commit 81b0edda1a51726460362f6c2fe2f10113bb048d
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu Jun 15 19:05:43 2017 +0200

    mm: do not collapse stack gap into THP
---
 debian/changelog                                   |  1 +
 .../mm-do-not-collapse-stack-gap-into-THP.patch    | 59 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 61 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6bbe3a0..eb7099b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ linux (4.9.30-2+deb9u1) UNRELEASED; urgency=medium
   * mm: allow to configure stack gap size
   * mm, proc: cap the stack gap for unpopulated growing vmas
   * mm, proc: drop priv parameter from is_stack
+  * mm: do not collapse stack gap into THP
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 13 Jun 2017 19:05:45 +0200
 
diff --git a/debian/patches/bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch b/debian/patches/bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch
new file mode 100644
index 0000000..abaf33a
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch
@@ -0,0 +1,59 @@
+From: Michal Hocko <mhocko at suse.com>
+Date: Wed, 14 Jun 2017 08:18:00 +0200
+Subject: mm: do not collapse stack gap into THP
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000364
+
+Oleg has noticed that khugepaged will happilly collapse stack vma (as
+long as it is not an early stack - see is_vma_temporary_stack) and
+it might effectively remove the stack gap area as well because a larger
+part of the stack vma is usually populated. The same applies to the
+page fault handler.
+
+Fix this by checking stack_guard_area when revalidating a VMA
+in hugepage_vma_revalidate.  We do not want to hook/replace
+is_vma_temporary_stack() check because THP might be still useful for
+stack, all we need is excluding the gap from collapsing into a THP.
+
+Also check the to-be-created THP in do_huge_pmd_anonymous_page to
+make sure it is completely outside of the gap area because we we could
+create THP covering the gap area.
+
+Noticed-by: Oleg Nesterov <oleg at redhat.com>
+Signed-off-by: Michal Hocko <mhocko at suse.com>
+---
+ mm/huge_memory.c | 3 +++
+ mm/khugepaged.c  | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index a84909cf20d3..a8b6881bb2a2 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -664,6 +664,9 @@ int do_huge_pmd_anonymous_page(struct vm_fault *vmf)
+ 
+ 	if (haddr < vma->vm_start || haddr + HPAGE_PMD_SIZE > vma->vm_end)
+ 		return VM_FAULT_FALLBACK;
++	if (stack_guard_area(vma, haddr) ||
++			stack_guard_area(vma, haddr + HPAGE_PMD_SIZE))
++		return VM_FAULT_FALLBACK;
+ 	if (unlikely(anon_vma_prepare(vma)))
+ 		return VM_FAULT_OOM;
+ 	if (unlikely(khugepaged_enter(vma, vma->vm_flags)))
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 945fd1ca49b5..75d7fff36957 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -858,6 +858,10 @@ static int hugepage_vma_revalidate(struct mm_struct *mm, unsigned long address,
+ 		return SCAN_ADDRESS_RANGE;
+ 	if (!hugepage_vma_check(vma))
+ 		return SCAN_VMA_CHECK;
++
++	/* never try to collapse stack gap */
++	if (stack_guard_area(vma, hstart) || stack_guard_area(vma, hend))
++		return SCAN_ADDRESS_RANGE;
+ 	return 0;
+ }
+ 
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 3818751..3b6f1bc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -124,6 +124,7 @@ bugfix/all/mm-enlarge-stack-guard-gap.patch
 bugfix/all/mm-allow-to-configure-stack-gap-size.patch
 bugfix/all/mm-proc-cap-the-stack-gap-for-unpopulated-growing-vm.patch
 bugfix/all/mm-proc-drop-priv-parameter-from-is_stack.patch
+bugfix/all/mm-do-not-collapse-stack-gap-into-THP.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list