Public bug reported:
The following changes was pulled into atleast the Ubuntu Xenail Kernel release.
http://kernel.ubuntu.com/git/kernel-ppa/mirror/ubuntu-xenial.git/commit/mm?id=b56d2a75e1daae6ff6eedfb732eadf3c13df6090
>From b56d2a75e1daae6ff6eedfb732eadf3c13df6090 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torva...@linux-foundation.org>
Date: Mon, 17 Oct 2016 17:29:48 -0500
Subject: UBUNTU: SAUCE: mm: remove gup_flags FOLL_WRITE games from
__get_user_pages()
This is an ancient bug that was actually attrempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can once
more try to fix it by checking the pte_dirty() bit properly (and do it
better). Also, the VM has become more scalable, and what was a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <ker...@linuxace.com>
Cc: Michal Hocko <mho...@kernel.org>
Cc: Andy Lutomirski <l...@kernel.org>
Cc: Kees Cook <keesc...@chromium.org>
Cc: Oleg Nesterov <o...@redhat.com>
Cc: Willy Tarreau <w...@1wt.eu>
Acked-by: Hugh Dickins <hu...@google.com>
Cc: Nick Piggin <npig...@gmail.com>
Cc: Greg Thelen <gthe...@google.com>
Cc: sta...@vger.kernel.org
Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
CVE-2016-5195
However this change introduced a bug in the kernel memory manager, in which
syscalls can end up in an infinite loop when transparent huge pages are
enabled. See the following Commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/mm/huge_memory.c?id=8310d48b125d19fcd9521d83b8293e63eb1646aa
This fix has not been ported to the Xenial kernel, and thus the infinite loop
issue is hitting certain machines quite often. Example of bug hitting:
http://www.mail-archive.com/lldb-dev@lists.llvm.org/msg03851.html
Kernel Info: Linux Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-51-generic x86_64)
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Incomplete
** Tags: kernel-bug xenial
** Summary changed:
- "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" needs to be ported to
Xenail Kernel
+ "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" needs to be ported to
Xenial Kernel
** Tags added: kernel-bug xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1660518
Title:
"mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" needs to be
ported to Xenial Kernel
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660518/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
