[PATCH STABLE 4.4 0/8] page refcount overflow backports

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Vlastimil Babka <vbabka@suse.cz>
To: stable@vger.kernel.org
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Ajay Kaher <akaher@vmware.com>, Vlastimil Babka <vbabka@suse.cz>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Andy Lutomirski <luto@kernel.org>,
	"Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
	Borislav Petkov <bp@alien8.de>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Hillf Danton <hillf.zj@alibaba-inc.com>,
	Ingo Molnar <mingo@redhat.com>, Jann Horn <jannh@google.com>,
	Juergen Gross <jgross@suse.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Matthew Wilcox <willy@infradead.org>,
	Michal Hocko <mhocko@suse.com>,
	Mike Kravetz <mike.kravetz@oracle.com>,
	Miklos Szeredi <mszeredi@redhat.com>,
	Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>,
	Oscar Salvador <osalvador@suse.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Punit Agrawal <punit.agrawal@arm.com>,
	Steve Capper <steve.capper@arm.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Vitaly Kuznetsov <vkuznets@redhat.com>,
	Will Deacon <will.deacon@arm.com>
Subject: [PATCH STABLE 4.4 0/8] page refcount overflow backports
Date: Fri,  8 Nov 2019 10:38:06 +0100	[thread overview]
Message-ID: <20191108093814.16032-1-vbabka@suse.cz> (raw)

Hi,

this series backports the CVE-2019-11487 fixes (page refcount overflow) to
4.4 stable. It differs from Ajay's series [1] in the following:

- gup.c variants of fast gup for x86 and s390 are fixed too. I've not fixed
  sparc, mips, sh. It's unlikely the known overflow scenario based on FUSE,
  which needs 140GB of RAM, is a problem for those architectures, and I don't
  feel confident enough to patch them. I've sent the same fixup for 4.9 [3]
- there are some differences in backport adaptations, hopefully not important.
  My version is taken from our 4.4 based kernel, which was just simpler for me
  than adding the missing parts to Ajay's version
- The last patch fixes another problem in the fast gup implementation on x86,
  that I've previously posted and got merged to 4.9 stable [2].

[1] https://lore.kernel.org/linux-mm/1570581863-12090-1-git-send-email-akaher@vmware.com/
[2] https://lore.kernel.org/linux-mm/20190802160614.8089-1-vbabka@suse.cz/
[3] https://lore.kernel.org/linux-mm/9c130fa4-e52d-f8bd-c450-42341c7ab441@suse.cz/

Linus Torvalds (3):
  mm: make page ref count overflow check tighter and more explicit
  mm: add 'try_get_page()' helper function
  mm: prevent get_user_pages() from overflowing page refcount

Matthew Wilcox (1):
  fs: prevent page refcount overflow in pipe_buf_get

Miklos Szeredi (1):
  pipe: add pipe_buf_get() helper

Punit Agrawal (1):
  mm, gup: ensure real head page is ref-counted when using hugepages

Vlastimil Babka (1):
  x86, mm, gup: prevent get_page() race with munmap in paravirt guest

Will Deacon (1):
  mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages

 arch/s390/mm/gup.c        |  6 +++--
 arch/x86/mm/gup.c         | 23 ++++++++++++++++++-
 fs/fuse/dev.c             | 12 +++++-----
 fs/pipe.c                 |  4 ++--
 fs/splice.c               | 12 ++++++++--
 include/linux/mm.h        | 26 ++++++++++++++++++++-
 include/linux/pipe_fs_i.h | 17 ++++++++++++--
 kernel/trace/trace.c      |  6 ++++-
 mm/gup.c                  | 48 +++++++++++++++++++++++++++------------
 mm/huge_memory.c          |  2 +-
 mm/hugetlb.c              | 18 +++++++++++++--
 mm/internal.h             | 17 ++++++++++----
 12 files changed, 152 insertions(+), 39 deletions(-)

-- 
2.23.0

next             reply	other threads:[~2019-11-08  9:38 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-08  9:38 Vlastimil Babka [this message]
2019-11-08  9:38 ` [PATCH STABLE 4.4 1/8] mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages Vlastimil Babka
2019-11-08  9:38 ` [PATCH STABLE 4.4 2/8] mm, gup: ensure real head page is ref-counted when using hugepages Vlastimil Babka
2019-11-08  9:38 ` [PATCH STABLE 4.4 3/8] mm: make page ref count overflow check tighter and more explicit Vlastimil Babka
2019-11-08  9:38 ` [PATCH STABLE 4.4 4/8] mm: add 'try_get_page()' helper function Vlastimil Babka
2019-11-08  9:38 ` [PATCH STABLE 4.4 5/8] mm: prevent get_user_pages() from overflowing page refcount Vlastimil Babka
2019-12-03 12:25   ` Ajay Kaher
2019-12-03 12:57     ` Vlastimil Babka
2019-12-06  4:15       ` Ajay Kaher
2019-12-06 14:32         ` Vlastimil Babka
2019-12-09  8:54           ` Ajay Kaher
2019-12-09  9:10             ` Vlastimil Babka
2019-11-08  9:38 ` [PATCH STABLE 4.4 6/8] pipe: add pipe_buf_get() helper Vlastimil Babka
2019-11-08  9:38 ` [PATCH STABLE 4.4 7/8] fs: prevent page refcount overflow in pipe_buf_get Vlastimil Babka
2019-11-08  9:38 ` [PATCH STABLE 4.4 8/8] x86, mm, gup: prevent get_page() race with munmap in paravirt guest Vlastimil Babka

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191108093814.16032-1-vbabka@suse.cz \
    --to=vbabka@suse.cz \
    --cc=akaher@vmware.com \
    --cc=akpm@linux-foundation.org \
    --cc=aneesh.kumar@linux.vnet.ibm.com \
    --cc=bp@alien8.de \
    --cc=catalin.marinas@arm.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=hillf.zj@alibaba-inc.com \
    --cc=jannh@google.com \
    --cc=jgross@suse.com \
    --cc=kirill.shutemov@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=luto@kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mhocko@suse.com \
    --cc=mike.kravetz@oracle.com \
    --cc=mingo@redhat.com \
    --cc=mszeredi@redhat.com \
    --cc=n-horiguchi@ah.jp.nec.com \
    --cc=osalvador@suse.de \
    --cc=peterz@infradead.org \
    --cc=punit.agrawal@arm.com \
    --cc=stable@vger.kernel.org \
    --cc=steve.capper@arm.com \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=vkuznets@redhat.com \
    --cc=will.deacon@arm.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox