[kernel/f17] Include upstream commit 4523e145 for CVE-2012-2390
Josh Boyer
jwboyer at fedoraproject.org
Wed May 30 16:03:23 UTC 2012
commit 506e7ae6a2a52c25e9c6da6fa815a18f39ab347e
Author: Josh Boyer <jwboyer at redhat.com>
Date: Wed May 30 12:01:58 2012 -0400
Include upstream commit 4523e145 for CVE-2012-2390
This fixes an oops that was trivially triggered after the original commit
went in. Props to Dave J.
hugetlb-fix-resv_map-leak-in-error-path.patch | 68 +++++++++++++++++++++++++
1 files changed, 68 insertions(+), 0 deletions(-)
---
diff --git a/hugetlb-fix-resv_map-leak-in-error-path.patch b/hugetlb-fix-resv_map-leak-in-error-path.patch
index 0bfd38c..888d5ce 100644
--- a/hugetlb-fix-resv_map-leak-in-error-path.patch
+++ b/hugetlb-fix-resv_map-leak-in-error-path.patch
@@ -106,3 +106,71 @@ index 41a647d..285a81e 100644
--
1.7.7.6
+From 4523e1458566a0e8ecfaff90f380dd23acc44d27 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave at linux.vnet.ibm.com>
+Date: Wed, 30 May 2012 07:51:07 -0700
+Subject: [PATCH] mm: fix vma_resv_map() NULL pointer
+
+hugetlb_reserve_pages() can be used for either normal file-backed
+hugetlbfs mappings, or MAP_HUGETLB. In the MAP_HUGETLB, semi-anonymous
+mode, there is not a VMA around. The new call to resv_map_put() assumed
+that there was, and resulted in a NULL pointer dereference:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+ IP: vma_resv_map+0x9/0x30
+ PGD 141453067 PUD 1421e1067 PMD 0
+ Oops: 0000 [#1] PREEMPT SMP
+ ...
+ Pid: 14006, comm: trinity-child6 Not tainted 3.4.0+ #36
+ RIP: vma_resv_map+0x9/0x30
+ ...
+ Process trinity-child6 (pid: 14006, threadinfo ffff8801414e0000, task ffff8801414f26b0)
+ Call Trace:
+ resv_map_put+0xe/0x40
+ hugetlb_reserve_pages+0xa6/0x1d0
+ hugetlb_file_setup+0x102/0x2c0
+ newseg+0x115/0x360
+ ipcget+0x1ce/0x310
+ sys_shmget+0x5a/0x60
+ system_call_fastpath+0x16/0x1b
+
+This was reported by Dave Jones, but was reproducible with the
+libhugetlbfs test cases, so shame on me for not running them in the
+first place.
+
+With this, the oops is gone, and the output of libhugetlbfs's
+run_tests.py is identical to plain 3.4 again.
+
+[ Marked for stable, since this was introduced by commit c50ac050811d
+ ("hugetlb: fix resv_map leak in error path") which was also marked for
+ stable ]
+
+Reported-by: Dave Jones <davej at redhat.com>
+Cc: Mel Gorman <mel at csn.ul.ie>
+Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+Cc: Christoph Lameter <cl at linux.com>
+Cc: Andrea Arcangeli <aarcange at redhat.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: <stable at vger.kernel.org> [2.6.32+]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ mm/hugetlb.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 285a81e..e198831 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3036,7 +3036,8 @@ int hugetlb_reserve_pages(struct inode *inode,
+ region_add(&inode->i_mapping->private_list, from, to);
+ return 0;
+ out_err:
+- resv_map_put(vma);
++ if (vma)
++ resv_map_put(vma);
+ return ret;
+ }
+
+--
+1.7.7.6
+
More information about the scm-commits
mailing list