NAK: [Precise][CVE-2016-3961][PATCH] x86/mm/xen: Suppress hugetlbfs in PV guests

Luis Henriques luis.henriques at canonical.com
Tue Jul 5 14:06:22 UTC 2016 

Luis Henriques <luis.henriques at canonical.com> writes:

> From: Jan Beulich <JBeulich at suse.com>
>
> commit 103f6112f253017d7062cd74d17f4a514ed4485c upstream.
>

Ugh!  It's the 2nd time do this mistake: this is not applicable to Precise
as-is.  It requires a few more commits (also from 3.2 stable).  Please
ignore this patch for now.

Cheers,
-- 
Luís


> Huge pages are not normally available to PV guests. Not suppressing
> hugetlbfs use results in an endless loop of page faults when user mode
> code tries to access a hugetlbfs mapped area (since the hypervisor
> denies such PTEs to be created, but error indications can't be
> propagated out of xen_set_pte_at(), just like for various of its
> siblings), and - once killed in an oops like this:
>
>   kernel BUG at .../fs/hugetlbfs/inode.c:428!
>   invalid opcode: 0000 [#1] SMP
>   ...
>   RIP: e030:[<ffffffff811c333b>]  [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320
>   ...
>   Call Trace:
>    [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40
>    [<ffffffff81167b3d>] evict+0xbd/0x1b0
>    [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0
>    [<ffffffff81165b0e>] dput+0x1fe/0x220
>    [<ffffffff81150535>] __fput+0x155/0x200
>    [<ffffffff81079fc0>] task_work_run+0x60/0xa0
>    [<ffffffff81063510>] do_exit+0x160/0x400
>    [<ffffffff810637eb>] do_group_exit+0x3b/0xa0
>    [<ffffffff8106e8bd>] get_signal+0x1ed/0x470
>    [<ffffffff8100f854>] do_signal+0x14/0x110
>    [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0
>    [<ffffffff814178a5>] retint_user+0x8/0x13
>
> This is CVE-2016-3961 / XSA-174.
>
> Reported-by: Vitaly Kuznetsov <vkuznets at redhat.com>
> Signed-off-by: Jan Beulich <jbeulich at suse.com>
> Cc: Andrew Morton <akpm at linux-foundation.org>
> Cc: Andy Lutomirski <luto at amacapital.net>
> Cc: Boris Ostrovsky <boris.ostrovsky at oracle.com>
> Cc: Borislav Petkov <bp at alien8.de>
> Cc: Brian Gerst <brgerst at gmail.com>
> Cc: David Vrabel <david.vrabel at citrix.com>
> Cc: Denys Vlasenko <dvlasenk at redhat.com>
> Cc: H. Peter Anvin <hpa at zytor.com>
> Cc: Juergen Gross <JGross at suse.com>
> Cc: Linus Torvalds <torvalds at linux-foundation.org>
> Cc: Luis R. Rodriguez <mcgrof at suse.com>
> Cc: Peter Zijlstra <peterz at infradead.org>
> Cc: Thomas Gleixner <tglx at linutronix.de>
> Cc: Toshi Kani <toshi.kani at hp.com>
> Cc: xen-devel <xen-devel at lists.xenproject.org>
> Link: http://lkml.kernel.org/r/57188ED802000078000E431C@prv-mh.provo.novell.com
> Signed-off-by: Ingo Molnar <mingo at kernel.org>
> Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
> CVE-2016-3961
> BugLink: https://bugs.launchpad.net/bugs/1571020
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  arch/x86/include/asm/hugetlb.h | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/include/asm/hugetlb.h b/arch/x86/include/asm/hugetlb.h
> index 48fa3915fd02..4e8225c25145 100644
> --- a/arch/x86/include/asm/hugetlb.h
> +++ b/arch/x86/include/asm/hugetlb.h
> @@ -3,6 +3,7 @@
>  
>  #include <asm/page.h>
>  
> +#define hugepages_supported() cpu_has_pse
>  
>  static inline int is_hugepage_only_range(struct mm_struct *mm,
>  					 unsigned long addr,

More information about the kernel-team mailing list