diff --git a/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch b/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch new file mode 100644 index 0000000..90bf053 --- /dev/null +++ b/fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch @@ -0,0 +1,86 @@ +From 9aacdd354d197ad64685941b36d28ea20ab88757 Mon Sep 17 00:00:00 2001 +From: Mike Kravetz +Date: Fri, 15 Jan 2016 16:57:37 -0800 +Subject: [PATCH] fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() + +Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine. The +argument end is of type pgoff_t. It was being converted to a vaddr +offset and passed to unmap_hugepage_range. However, end was also being +used as an argument to the vma_interval_tree_foreach controlling loop. +In addition, the conversion of end to vaddr offset was incorrect. + +hugetlb_vmtruncate_list is called as part of a file truncate or +fallocate hole punch operation. + +When truncating a hugetlbfs file, this bug could prevent some pages from +being unmapped. This is possible if there are multiple vmas mapping the +file, and there is a sufficiently sized hole between the mappings. The +size of the hole between two vmas (A,B) must be such that the starting +virtual address of B is greater than (ending virtual address of A << +PAGE_SHIFT). In this case, the pages in B would not be unmapped. If +pages are not properly unmapped during truncate, the following BUG is +hit: + + kernel BUG at fs/hugetlbfs/inode.c:428! + +In the fallocate hole punch case, this bug could prevent pages from +being unmapped as in the truncate case. However, for hole punch the +result is that unmapped pages will not be removed during the operation. +For hole punch, it is also possible that more pages than desired will be +unmapped. This unnecessary unmapping will cause page faults to +reestablish the mappings on subsequent page access. + +Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton +Signed-off-by: Mike Kravetz +Cc: Hugh Dickins +Cc: Naoya Horiguchi +Cc: Davidlohr Bueso +Cc: Dave Hansen +Cc: [4.3] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +--- + fs/hugetlbfs/inode.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c +index bbc333b01ca3..9c07d2d754c9 100644 +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -463,6 +463,7 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end) + */ + vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) { + unsigned long v_offset; ++ unsigned long v_end; + + /* + * Can the expression below overflow on 32-bit arches? +@@ -475,15 +476,17 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end) + else + v_offset = 0; + +- if (end) { +- end = ((end - start) << PAGE_SHIFT) + +- vma->vm_start + v_offset; +- if (end > vma->vm_end) +- end = vma->vm_end; +- } else +- end = vma->vm_end; ++ if (!end) ++ v_end = vma->vm_end; ++ else { ++ v_end = ((end - vma->vm_pgoff) << PAGE_SHIFT) ++ + vma->vm_start; ++ if (v_end > vma->vm_end) ++ v_end = vma->vm_end; ++ } + +- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL); ++ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end, ++ NULL); + } + } + +-- +2.5.0 + diff --git a/kernel.spec b/kernel.spec index 3131f76..6295bac 100644 --- a/kernel.spec +++ b/kernel.spec @@ -696,6 +696,9 @@ Patch646: HID-sony-do-not-bail-out-when-the-sixaxis-refuses-th.patch #rhbz 1303270 Patch647: rtlwifi-fix-memory-leak-for-USB-device.patch +#CVE-2016-0617 rhbz 1305803 1305804 +Patch648: fs-hugetlbfs-inode.c-fix-bugs-in-hugetlb_vmtruncate_.patch + # END OF PATCH DEFINITIONS %endif @@ -2139,6 +2142,9 @@ fi # # %changelog +* Tue Feb 09 2016 Josh Boyer +- CVE-2016-0617 fix hugetlbfs inode.c issues (rhbz 1305803 1305804) + * Tue Feb 02 2016 Josh Boyer - Backport patch to fix memory leak in rtlwifi USB devices (rhbz 1303270)