[kernel/f17] Include upstream commit 4523e145 for CVE-2012-2390

Wed May 30 16:03:23 UTC 2012

commit 506e7ae6a2a52c25e9c6da6fa815a18f39ab347e
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed May 30 12:01:58 2012 -0400

    Include upstream commit 4523e145 for CVE-2012-2390
    
    This fixes an oops that was trivially triggered after the original commit
    went in.  Props to Dave J.

 hugetlb-fix-resv_map-leak-in-error-path.patch |   68 +++++++++++++++++++++++++
 1 files changed, 68 insertions(+), 0 deletions(-)
---

diff --git a/hugetlb-fix-resv_map-leak-in-error-path.patch b/hugetlb-fix-resv_map-leak-in-error-path.patch
index 0bfd38c..888d5ce 100644
--- a/hugetlb-fix-resv_map-leak-in-error-path.patch
+++ b/hugetlb-fix-resv_map-leak-in-error-path.patch
@@ -106,3 +106,71 @@ index 41a647d..285a81e 100644
 -- 
 1.7.7.6
 
+From 4523e1458566a0e8ecfaff90f380dd23acc44d27 Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave at linux.vnet.ibm.com>
+Date: Wed, 30 May 2012 07:51:07 -0700
+Subject: [PATCH] mm: fix vma_resv_map() NULL pointer
+
+hugetlb_reserve_pages() can be used for either normal file-backed
+hugetlbfs mappings, or MAP_HUGETLB.  In the MAP_HUGETLB, semi-anonymous
+mode, there is not a VMA around.  The new call to resv_map_put() assumed
+that there was, and resulted in a NULL pointer dereference:
+
+  BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+  IP: vma_resv_map+0x9/0x30
+  PGD 141453067 PUD 1421e1067 PMD 0
+  Oops: 0000 [#1] PREEMPT SMP
+  ...
+  Pid: 14006, comm: trinity-child6 Not tainted 3.4.0+ #36
+  RIP: vma_resv_map+0x9/0x30
+  ...
+  Process trinity-child6 (pid: 14006, threadinfo ffff8801414e0000, task ffff8801414f26b0)
+  Call Trace:
+    resv_map_put+0xe/0x40
+    hugetlb_reserve_pages+0xa6/0x1d0
+    hugetlb_file_setup+0x102/0x2c0
+    newseg+0x115/0x360
+    ipcget+0x1ce/0x310
+    sys_shmget+0x5a/0x60
+    system_call_fastpath+0x16/0x1b
+
+This was reported by Dave Jones, but was reproducible with the
+libhugetlbfs test cases, so shame on me for not running them in the
+first place.
+
+With this, the oops is gone, and the output of libhugetlbfs's
+run_tests.py is identical to plain 3.4 again.
+
+[ Marked for stable, since this was introduced by commit c50ac050811d
+  ("hugetlb: fix resv_map leak in error path") which was also marked for
+  stable ]
+
+Reported-by: Dave Jones <davej at redhat.com>
+Cc: Mel Gorman <mel at csn.ul.ie>
+Cc: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+Cc: Christoph Lameter <cl at linux.com>
+Cc: Andrea Arcangeli <aarcange at redhat.com>
+Cc: Andrew Morton <akpm at linux-foundation.org>
+Cc: <stable at vger.kernel.org>        [2.6.32+]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ mm/hugetlb.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 285a81e..e198831 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3036,7 +3036,8 @@ int hugetlb_reserve_pages(struct inode *inode,
+ 		region_add(&inode->i_mapping->private_list, from, to);
+ 	return 0;
+ out_err:
+-	resv_map_put(vma);
++	if (vma)
++		resv_map_put(vma);
+ 	return ret;
+ }
+ 
+-- 
+1.7.7.6
+
