wok-stable annotate linux/stuff/linux-CVE-2016-5195.u @ rev 12465

Up e2fsprogs (1.44.2)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Mon Mar 04 18:42:23 2019 +0100 (2019-03-04)
parents
children
rev   line source
pascal@12457 1 --- linux-2.6.37/include/linux/mm.h
pascal@12457 2 +++ linux-2.6.37/include/linux/mm.h
pascal@12457 3 @@ -1415,6 +1415,7 @@
pascal@12457 4 #define FOLL_GET 0x04 /* do get_page on page */
pascal@12457 5 #define FOLL_DUMP 0x08 /* give error on hole if it would be zero */
pascal@12457 6 #define FOLL_FORCE 0x10 /* get_user_pages read/write w/o permission */
pascal@12457 7 +#define FOLL_COW 0x4000 /* internal GUP flag */
pascal@12457 8
pascal@12457 9 typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
pascal@12457 10 void *data);
pascal@12457 11 --- linux-2.6.37/mm/memory.c
pascal@12457 12 +++ linux-2.6.37/mm/memory.c
pascal@12457 13 @@ -1225,6 +1225,24 @@
pascal@12457 14 }
pascal@12457 15 EXPORT_SYMBOL_GPL(zap_vma_ptes);
pascal@12457 16
pascal@12457 17 +static inline bool can_follow_write_pte(pte_t pte, struct page *page,
pascal@12457 18 + unsigned int flags)
pascal@12457 19 +{
pascal@12457 20 + if (pte_write(pte))
pascal@12457 21 + return true;
pascal@12457 22 +
pascal@12457 23 + /*
pascal@12457 24 + * Make sure that we are really following CoWed page. We do not really
pascal@12457 25 + * have to care about exclusiveness of the page because we only want
pascal@12457 26 + * to ensure that once COWed page hasn't disappeared in the meantime
pascal@12457 27 + * or it hasn't been merged to a KSM page.
pascal@12457 28 + */
pascal@12457 29 + if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
pascal@12457 30 + return page && PageAnon(page) && !PageKsm(page);
pascal@12457 31 +
pascal@12457 32 + return false;
pascal@12457 33 +}
pascal@12457 34 +
pascal@12457 35 /**
pascal@12457 36 * follow_page - look up a page descriptor from a user-virtual address
pascal@12457 37 * @vma: vm_area_struct mapping @address
pascal@12457 38 @@ -1286,10 +1304,13 @@
pascal@12457 39 pte = *ptep;
pascal@12457 40 if (!pte_present(pte))
pascal@12457 41 goto no_page;
pascal@12457 42 - if ((flags & FOLL_WRITE) && !pte_write(pte))
pascal@12457 43 - goto unlock;
pascal@12457 44
pascal@12457 45 page = vm_normal_page(vma, address, pte);
pascal@12457 46 + if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
pascal@12457 47 + pte_unmap_unlock(ptep, ptl);
pascal@12457 48 + return NULL;
pascal@12457 49 + }
pascal@12457 50 +
pascal@12457 51 if (unlikely(!page)) {
pascal@12457 52 if ((flags & FOLL_DUMP) ||
pascal@12457 53 !is_zero_pfn(pte_pfn(pte)))
pascal@12457 54 @@ -1310,7 +1331,7 @@
pascal@12457 55 */
pascal@12457 56 mark_page_accessed(page);
pascal@12457 57 }
pascal@12457 58 -unlock:
pascal@12457 59 +
pascal@12457 60 pte_unmap_unlock(ptep, ptl);
pascal@12457 61 out:
pascal@12457 62 return page;
pascal@12457 63 @@ -1464,17 +1485,13 @@
pascal@12457 64 * The VM_FAULT_WRITE bit tells us that
pascal@12457 65 * do_wp_page has broken COW when necessary,
pascal@12457 66 * even if maybe_mkwrite decided not to set
pascal@12457 67 - * pte_write. We can thus safely do subsequent
pascal@12457 68 - * page lookups as if they were reads. But only
pascal@12457 69 - * do so when looping for pte_write is futile:
pascal@12457 70 - * in some cases userspace may also be wanting
pascal@12457 71 - * to write to the gotten user page, which a
pascal@12457 72 - * read fault here might prevent (a readonly
pascal@12457 73 - * page might get reCOWed by userspace write).
pascal@12457 74 + * pte_write. We cannot simply drop FOLL_WRITE
pascal@12457 75 + * here because the COWed page might be gone by
pascal@12457 76 + * the time we do the subsequent page lookups.
pascal@12457 77 */
pascal@12457 78 if ((ret & VM_FAULT_WRITE) &&
pascal@12457 79 !(vma->vm_flags & VM_WRITE))
pascal@12457 80 - foll_flags &= ~FOLL_WRITE;
pascal@12457 81 + foll_flags |= FOLL_COW;
pascal@12457 82
pascal@12457 83 cond_resched();
pascal@12457 84 }