diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2014-04-30 12:04:21 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2014-04-30 12:04:59 -0400 |
commit | 9cf61afb0e5b39f807ae403fe27b9b7af540bbdb (patch) | |
tree | 5dba02f724c7c001e10ab0a46b291d9c61d778f2 | |
parent | 56a2b5d4a885d0f2bc6bfc8a9debe11bc7ffd9d2 (diff) | |
download | kernel-9cf61afb0e5b39f807ae403fe27b9b7af540bbdb.tar.gz kernel-9cf61afb0e5b39f807ae403fe27b9b7af540bbdb.tar.xz kernel-9cf61afb0e5b39f807ae403fe27b9b7af540bbdb.zip |
CVE-2014-XXXX: mm: fix locking DoS issue (rhbz 1093084 1093076)
-rw-r--r-- | kernel.spec | 9 | ||||
-rw-r--r-- | mm-try_to_unmap_cluster-should-lock_page-before-mloc.patch | 95 |
2 files changed, 104 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec index 09236c62..0939e1fe 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,6 +748,9 @@ Patch25067: ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patc #rhbz 696821 Patch25068: fanotify-fix-EOVERFLOW-on-64-bit.patch +#CVE-2014-XXXX rhbz 1093076 1093084 +Patch25069: mm-try_to_unmap_cluster-should-lock_page-before-mloc.patch + # END OF PATCH DEFINITIONS %endif @@ -1450,6 +1453,9 @@ ApplyPatch ACPICA-Tables-Fix-bad-pointer-issue-in-acpi_tb_parse_root_table.patch #rhbz 696821 ApplyPatch fanotify-fix-EOVERFLOW-on-64-bit.patch +#CVE-2014-XXXX rhbz 1093076 1093084 +ApplyPatch mm-try_to_unmap_cluster-should-lock_page-before-mloc.patch + # END OF PATCH APPLICATIONS %endif @@ -2261,6 +2267,9 @@ fi # ||----w | # || || %changelog +* Wed Apr 30 2014 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-XXXX: mm: fix locking DoS issue (rhbz 1093084 1093076) + * Mon Apr 28 2014 Justin M. Forbes <jforbes@fedoraproject.org> 3.14.2-200 - Linux v3.14.2 (rhbz 1067071 1091722 906568) diff --git a/mm-try_to_unmap_cluster-should-lock_page-before-mloc.patch b/mm-try_to_unmap_cluster-should-lock_page-before-mloc.patch new file mode 100644 index 00000000..60804192 --- /dev/null +++ b/mm-try_to_unmap_cluster-should-lock_page-before-mloc.patch @@ -0,0 +1,95 @@ +Bugzilla: 1093084 +Upstream-status: 3.15 and stable CC'd + +From 57e68e9cd65b4b8eb4045a1e0d0746458502554c Mon Sep 17 00:00:00 2001 +From: Vlastimil Babka <vbabka@suse.cz> +Date: Mon, 7 Apr 2014 15:37:50 -0700 +Subject: [PATCH] mm: try_to_unmap_cluster() should lock_page() before mlocking + +A BUG_ON(!PageLocked) was triggered in mlock_vma_page() by Sasha Levin +fuzzing with trinity. The call site try_to_unmap_cluster() does not lock +the pages other than its check_page parameter (which is already locked). + +The BUG_ON in mlock_vma_page() is not documented and its purpose is +somewhat unclear, but apparently it serializes against page migration, +which could otherwise fail to transfer the PG_mlocked flag. This would +not be fatal, as the page would be eventually encountered again, but +NR_MLOCK accounting would become distorted nevertheless. This patch adds +a comment to the BUG_ON in mlock_vma_page() and munlock_vma_page() to that +effect. + +The call site try_to_unmap_cluster() is fixed so that for page != +check_page, trylock_page() is attempted (to avoid possible deadlocks as we +already have check_page locked) and mlock_vma_page() is performed only +upon success. If the page lock cannot be obtained, the page is left +without PG_mlocked, which is again not a problem in the whole unevictable +memory design. + +Signed-off-by: Vlastimil Babka <vbabka@suse.cz> +Signed-off-by: Bob Liu <bob.liu@oracle.com> +Reported-by: Sasha Levin <sasha.levin@oracle.com> +Cc: Wanpeng Li <liwanp@linux.vnet.ibm.com> +Cc: Michel Lespinasse <walken@google.com> +Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> +Acked-by: Rik van Riel <riel@redhat.com> +Cc: David Rientjes <rientjes@google.com> +Cc: Mel Gorman <mgorman@suse.de> +Cc: Hugh Dickins <hughd@google.com> +Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + mm/mlock.c | 2 ++ + mm/rmap.c | 14 ++++++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/mm/mlock.c b/mm/mlock.c +index 4e1a68162285..b1eb53634005 100644 +--- a/mm/mlock.c ++++ b/mm/mlock.c +@@ -79,6 +79,7 @@ void clear_page_mlock(struct page *page) + */ + void mlock_vma_page(struct page *page) + { ++ /* Serialize with page migration */ + BUG_ON(!PageLocked(page)); + + if (!TestSetPageMlocked(page)) { +@@ -174,6 +175,7 @@ unsigned int munlock_vma_page(struct page *page) + unsigned int nr_pages; + struct zone *zone = page_zone(page); + ++ /* For try_to_munlock() and to serialize with page migration */ + BUG_ON(!PageLocked(page)); + + /* +diff --git a/mm/rmap.c b/mm/rmap.c +index 11cf322f8133..9c3e77396d1a 100644 +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -1332,9 +1332,19 @@ static int try_to_unmap_cluster(unsigned long cursor, unsigned int *mapcount, + BUG_ON(!page || PageAnon(page)); + + if (locked_vma) { +- mlock_vma_page(page); /* no-op if already mlocked */ +- if (page == check_page) ++ if (page == check_page) { ++ /* we know we have check_page locked */ ++ mlock_vma_page(page); + ret = SWAP_MLOCK; ++ } else if (trylock_page(page)) { ++ /* ++ * If we can lock the page, perform mlock. ++ * Otherwise leave the page alone, it will be ++ * eventually encountered again later. ++ */ ++ mlock_vma_page(page); ++ unlock_page(page); ++ } + continue; /* don't unmap */ + } + +-- +1.9.0 + |