[PATCH 3.10 17/31] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Sasha Levin <sasha.levin@oracle.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Wang Long <long.wanglong@huawei.com>
Subject: [PATCH 3.10 17/31] mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support
Date: Sun, 26 Apr 2015 15:46:37 +0200	[thread overview]
Message-ID: <20150426134210.116435049@linuxfoundation.org> (raw)
In-Reply-To: <20150426134209.255099785@linuxfoundation.org>

3.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>

commit ee53664bda169f519ce3c6a22d378f0b946c8178 upstream.

Sasha Levin found a NULL pointer dereference that is due to a missing
page table lock, which in turn is due to the pmd entry in question being
a transparent huge-table entry.

The code - introduced in commit 1998cc048901 ("mm: make
madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
turns out that that function doesn't work correctly.

pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
trigger if the transparent hugepage bit was set, but it doesn't do that
if pmd_numa() is also set. Note that the NUMA bit only gets set on real
NUMA machines, so people trying to reproduce this on most normal
development systems would never actually trigger this.

Fix it by removing the very subtle (and subtly incorrect) expectation,
and instead just checking pmd_trans_huge() explicitly.

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
[ Additionally remove the now stale test for pmd_trans_huge() inside the
  pmd_bad() case - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Wang Long <long.wanglong@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/asm-generic/pgtable.h |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/include/asm-generic/pgtable.h
+++ b/include/asm-generic/pgtable.h
@@ -550,11 +550,10 @@ static inline int pmd_none_or_trans_huge
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
 	barrier();
 #endif
-	if (pmd_none(pmdval))
+	if (pmd_none(pmdval) || pmd_trans_huge(pmdval))
 		return 1;
 	if (unlikely(pmd_bad(pmdval))) {
-		if (!pmd_trans_huge(pmdval))
-			pmd_clear_bad(pmd);
+		pmd_clear_bad(pmd);
 		return 1;
 	}
 	return 0;

next prev parent reply	other threads:[~2015-04-26 13:47 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-26 13:46 [PATCH 3.10 00/31] 3.10.76-stable review Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 01/31] conditionally define U32_MAX Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 02/31] remove extra definitions of U32_MAX Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 03/31] tcp: prevent fetching dst twice in early demux code Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 04/31] ipv6: Dont reduce hop limit for an interface Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 05/31] tcp: fix FRTO undo on cumulative ACK of SACKed range Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 06/31] tcp: tcp_make_synack() should clear skb->tstamp Greg Kroah-Hartman
2015-04-27  4:02   ` Willy Tarreau
2015-04-27  4:23     ` Eric Dumazet
2015-04-27  4:45     ` David Miller
2015-04-26 13:46 ` [PATCH 3.10 07/31] 8139cp: Call dev_kfree_skby_any instead of kfree_skb Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 08/31] 8139too: Call dev_kfree_skby_any instead of dev_kfree_skb Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 09/31] r8169: " Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 10/31] bnx2: " Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 11/31] tg3: " Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 12/31] ixgb: " Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 13/31] benet: Call dev_kfree_skby_any instead of kfree_skb Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 14/31] serial: 8250_dw: Fix deadlock in LCR workaround Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 15/31] jfs: fix readdir regression Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 16/31] splice: Apply generic position and size checks to each write Greg Kroah-Hartman
2015-04-26 13:46 ` Greg Kroah-Hartman [this message]
2015-04-26 13:46 ` [PATCH 3.10 18/31] Bluetooth: Enable Atheros 0cf3:311e for firmware upload Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 19/31] Bluetooth: Add firmware update for Atheros 0cf3:311f Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 20/31] Bluetooth: btusb: Add IMC Networks (Broadcom based) Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 21/31] Bluetooth: Add support for Intel bootloader devices Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 22/31] Bluetooth: Ignore isochronous endpoints for Intel USB bootloader Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 23/31] netfilter: conntrack: disable generic tracking for known protocols Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 24/31] KVM: x86: SYSENTER emulation is broken Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 26/31] move d_rcu from overlapping d_child to overlapping d_alias Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 27/31] deal with deadlock in d_walk() Greg Kroah-Hartman
2015-04-27  1:20   ` Ben Hutchings
2015-04-27  7:53     ` Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 28/31] vm: add VM_FAULT_SIGSEGV handling support Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 29/31] vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 30/31] x86: mm: move mmap_sem unlock from mm_fault_error() to caller Greg Kroah-Hartman
2015-04-26 13:46 ` [PATCH 3.10 31/31] sb_edac: avoid INTERNAL ERROR message in EDAC with unspecified channel Greg Kroah-Hartman
2015-04-26 15:15 ` [PATCH 3.10 00/31] 3.10.76-stable review Guenter Roeck
2015-04-26 17:12   ` Greg Kroah-Hartman
2015-04-26 17:14     ` Guenter Roeck
2015-04-26 20:01 ` Guenter Roeck
2015-04-27 17:19 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150426134210.116435049@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=aarcange@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=long.wanglong@huawei.com \
    --cc=sasha.levin@oracle.com \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).