| From 373c4557d2aa362702c4c2d41288fb1e54990b7c Mon Sep 17 00:00:00 2001 |
| From: Jann Horn <jannh@google.com> |
| Date: Tue, 14 Nov 2017 01:03:44 +0100 |
| Subject: mm/pagewalk.c: report holes in hugetlb ranges |
| |
| From: Jann Horn <jannh@google.com> |
| |
| commit 373c4557d2aa362702c4c2d41288fb1e54990b7c upstream. |
| |
| This matters at least for the mincore syscall, which will otherwise copy |
| uninitialized memory from the page allocator to userspace. It is |
| probably also a correctness error for /proc/$pid/pagemap, but I haven't |
| tested that. |
| |
| Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has |
| no effect because the caller already checks for that. |
| |
| This only reports holes in hugetlb ranges to callers who have specified |
| a hugetlb_entry callback. |
| |
| This issue was found using an AFL-based fuzzer. |
| |
| v2: |
| - don't crash on ->pte_hole==NULL (Andrew Morton) |
| - add Cc stable (Andrew Morton) |
| |
| Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()") |
| Signed-off-by: Jann Horn <jannh@google.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| mm/pagewalk.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| --- a/mm/pagewalk.c |
| +++ b/mm/pagewalk.c |
| @@ -188,8 +188,12 @@ static int walk_hugetlb_range(unsigned l |
| do { |
| next = hugetlb_entry_end(h, addr, end); |
| pte = huge_pte_offset(walk->mm, addr & hmask, sz); |
| - if (pte && walk->hugetlb_entry) |
| + |
| + if (pte) |
| err = walk->hugetlb_entry(pte, hmask, addr, next, walk); |
| + else if (walk->pte_hole) |
| + err = walk->pte_hole(addr, next, walk); |
| + |
| if (err) |
| break; |
| } while (addr = next, addr != end); |