[01/36] mm: fix ia64 crash when gcore reads gate area

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
	akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
	Hugh Dickins <hughd@google.com>
Subject: [01/36] mm: fix ia64 crash when gcore reads gate area
Date: Fri, 06 Aug 2010 12:19:42 -0700	[thread overview]
Message-ID: <20100806192114.528469832@clark.site> (raw)
In-Reply-To: <20100806192649.GA1614@kroah.com>

2.6.34-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Hugh Dickins <hughd@google.com>

commit de51257aa301652876ab6e8f13ea4eadbe4a3846 upstream.

Debian's ia64 autobuilders have been seeing kernel freeze or reboot
when running the gdb testsuite (Debian bug 588574): dannf bisected to
2.6.32 62eede62dafb4a6633eae7ffbeb34c60dba5e7b1 "mm: ZERO_PAGE without
PTE_SPECIAL"; and reproduced it with gdb's gcore on a simple target.

I'd missed updating the gate_vma handling in __get_user_pages(): that
happens to use vm_normal_page() (nowadays failing on the zero page),
yet reported success even when it failed to get a page - boom when
access_process_vm() tried to copy that to its intermediate buffer.

Fix this, resisting cleanups: in particular, leave it for now reporting
success when not asked to get any pages - very probably safe to change,
but let's not risk it without testing exposure.

Why did ia64 crash with 16kB pages, but succeed with 64kB pages?
Because setup_gate() pads each 64kB of its gate area with zero pages.

Reported-by: Andreas Barth <aba@not.so.argh.org>
Bisected-by: dann frazier <dannf@debian.org>
Signed-off-by: Hugh Dickins <hughd@google.com>
Tested-by: dann frazier <dannf@dannf.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 mm/memory.c |   16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1385,10 +1385,20 @@ int __get_user_pages(struct task_struct
 				return i ? : -EFAULT;
 			}
 			if (pages) {
-				struct page *page = vm_normal_page(gate_vma, start, *pte);
+				struct page *page;
+
+				page = vm_normal_page(gate_vma, start, *pte);
+				if (!page) {
+					if (!(gup_flags & FOLL_DUMP) &&
+					     is_zero_pfn(pte_pfn(*pte)))
+						page = pte_page(*pte);
+					else {
+						pte_unmap(pte);
+						return i ? : -EFAULT;
+					}
+				}
 				pages[i] = page;
-				if (page)
-					get_page(page);
+				get_page(page);
 			}
 			pte_unmap(pte);
 			if (vmas)

next prev parent reply	other threads:[~2010-08-06 19:27 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-06 19:26 [00/36] 2.6.34.3-stable review Greg KH
2010-08-06 19:19 ` Greg KH [this message]
2010-08-06 19:19 ` [02/36] NFS: kswapd must not block in nfs_release_page Greg KH
2010-08-06 19:19 ` [03/36] NFS: Fix a typo in include/linux/nfs_fs.h Greg KH
2010-08-06 19:19 ` [04/36] comedi: Uncripple 8255-based DIO subdevices Greg KH
2010-08-06 19:19 ` [05/36] PARISC: led.c - fix potential stack overflow in led_proc_write() Greg KH
2010-08-06 19:19 ` [06/36] arm/imx/gpio: add spinlock protection Greg KH
2010-08-06 19:19 ` [07/36] parisc: pass through \t to early (iodc) console Greg KH
2010-08-06 19:19 ` [08/36] amd64_edac: Fix DCT base address selector Greg KH
2010-08-06 19:19 ` [09/36] amd64_edac: Correct scrub rate setting Greg KH
2010-08-06 19:19 ` [10/36] amd64_edac: Fix operator precendence error Greg KH
2010-08-06 19:19 ` [11/36] e1000e: dont inadvertently re-set INTX_DISABLE Greg KH
2010-08-06 19:19 ` [12/36] e1000e: 82577/82578 PHY register access issues Greg KH
2010-08-06 19:19 ` [13/36] 9p: strlen() doesnt count the terminator Greg KH
2010-08-06 19:19 ` [14/36] igb: Use only a single Tx queue in SR-IOV mode Greg KH
2010-08-06 19:19 ` [15/36] ath9k: enable serialize_regmode for non-PCIE AR9160 Greg KH
2010-08-06 19:19 ` [16/36] ath9k: fix a potential buffer leak in the STA teardown path Greg KH
2010-08-06 19:19 ` [17/36] ath9k_hw: fix an off-by-one error in the PDADC boundaries calculation Greg KH
2010-08-06 19:19 ` [18/36] ath9k: fix TSF after reset on AR913x Greg KH
2010-08-06 19:20 ` [19/36] ath9k: fix yet another buffer leak in the tx aggregation code Greg KH
2010-08-06 19:20 ` [20/36] iwlwifi: fix scan abort Greg KH
2010-08-06 19:20 ` [21/36] cfg80211: ignore spurious deauth Greg KH
2010-08-06 19:20 ` [22/36] cfg80211: dont get expired BSSes Greg KH
2010-08-06 19:20 ` [23/36] mac80211: avoid scheduling while atomic in mesh_rx_plink_frame Greg KH
2010-08-06 19:20 ` [24/36] SCSI: enclosure: fix error path - actually return ERR_PTR() on error Greg KH
2010-08-06 19:20 ` [25/36] GFS2: rename causes kernel Oops Greg KH
2010-08-06 19:20 ` [26/36] KVM: MMU: flush remote tlbs when overwriting spte with different pfn Greg KH
2010-08-06 19:20 ` [27/36] xen: drop xen_sched_clock in favour of using plain wallclock time Greg KH
2010-08-06 19:20 ` [28/36] drm/radeon/kms/igp: sideport is AMD only Greg KH
2010-08-06 19:20 ` [29/36] drm/radeon: add new pci ids Greg KH
2010-08-06 19:20 ` [30/36] drm/radeon/kms/r7xx: add workaround for hw issue with HDP flush Greg KH
2010-08-06 19:20 ` [31/36] drm/i915: Check overlay stride errata for i830 and i845 Greg KH
2010-08-06 19:20 ` [32/36] Revert "ssb: Handle Netbook devices where the SPROM address is changed" Greg KH
2010-08-06 19:20 ` [33/36] ssb: do not read SPROM if it does not exist Greg KH
2010-08-06 19:20 ` [34/36] ssb: Look for SPROM at different offset on higher rev CC Greg KH
2010-08-06 19:20 ` [35/36] ssb: fix NULL ptr deref when pcihost_wrapper is used Greg KH
2010-08-06 19:20 ` [36/36] ssb: Handle alternate SSPROM location Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100806192114.528469832@clark.site \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=hughd@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable-review@kernel.org \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox