Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Hocko <mhocko@suse.cz>2017-05-31 15:47:18 +0200
committerMichal Hocko <mhocko@suse.cz>2017-05-31 15:47:24 +0200
commit0b7966455abee733863909156d85b88ce26ba8a2 (patch)
treed4080ed3678b2908eee434c2d7e3b6c4dcbb8577
parentd016488325eaa0a060aa72d24cd9c07e904b6f4c (diff)
mm: do not collapse stack gap into THP (bnc#1039348,
CVE-2017-1000364).
-rw-r--r--patches.fixes/0002-mm-do-not-collapse-stack-gap-into-THP.patch53
-rw-r--r--series.conf1
2 files changed, 54 insertions, 0 deletions
diff --git a/patches.fixes/0002-mm-do-not-collapse-stack-gap-into-THP.patch b/patches.fixes/0002-mm-do-not-collapse-stack-gap-into-THP.patch
new file mode 100644
index 0000000000..0a8aa5e6d0
--- /dev/null
+++ b/patches.fixes/0002-mm-do-not-collapse-stack-gap-into-THP.patch
@@ -0,0 +1,53 @@
+From 607215cfdd1a14871f621082ffc9448778991372 Mon Sep 17 00:00:00 2001
+From: Michal Hocko <mhocko@suse.com>
+Date: Thu, 25 May 2017 08:12:42 +0200
+Subject: [PATCH 2/2] mm: do not collapse stack gap into THP
+Patch-mainline: not yet (security@kernel.org discussion pending)
+References: bnc#1039348, CVE-2017-1000364
+
+Oleg has noticed that khugepaged will happilly collapse stack vma (as
+long as it is not an early stack - see is_vma_temporary_stack) and
+it might effectively remove the stack gap area as well because a larger
+part of the stack vma is usually populated. The same applies to the
+page fault handler.
+
+Fix this by checking stack_guard_area when revalidating a VMA
+in hugepage_vma_revalidate. We do not want to hook/replace
+is_vma_temporary_stack() check because THP might be still useful for
+stack, all we need is excluding the gap from collapsing into a THP.
+
+Also check the to-be-created THP in do_huge_pmd_anonymous_page to
+make sure it is completely outside of the gap area because we we could
+create THP covering the gap area.
+
+Noticed-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+
+---
+ mm/huge_memory.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -846,6 +846,9 @@ int do_huge_pmd_anonymous_page(struct mm
+
+ if (haddr < vma->vm_start || haddr + HPAGE_PMD_SIZE > vma->vm_end)
+ return VM_FAULT_FALLBACK;
++ if (stack_guard_area(vma, haddr) ||
++ stack_guard_area(vma, haddr + HPAGE_PMD_SIZE))
++ return VM_FAULT_FALLBACK;
+ if (unlikely(anon_vma_prepare(vma)))
+ return VM_FAULT_OOM;
+ if (unlikely(khugepaged_enter(vma, vma->vm_flags)))
+@@ -2591,6 +2594,11 @@ static void collapse_huge_page(struct mm
+ goto out;
+ if (!hugepage_vma_check(vma))
+ goto out;
++
++ /* never try to collapse stack gap */
++ if (stack_guard_area(vma, hstart) || stack_guard_area(vma, hend))
++ goto out;
++
+ pmd = mm_find_pmd(mm, address);
+ if (!pmd)
+ goto out;
diff --git a/series.conf b/series.conf
index 8ef4e4cdd1..b0f5e4d00a 100644
--- a/series.conf
+++ b/series.conf
@@ -1736,6 +1736,7 @@
patches.fixes/mm-memblock.c-fix-memblock_next_valid_pfn.patch
patches.fixes/0001-mm-enlarge-stack-guard-gap.patch
+ patches.fixes/0002-mm-do-not-collapse-stack-gap-into-THP.patch
########################################################
# IPC patches