*** This bug is a duplicate of bug 1658270 ***
https://bugs.launchpad.net/bugs/1658270
** This bug has been marked a duplicate of bug 1658270
Backport Dirty COW patch to prevent wineserver freeze
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1660518
Title:
"mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" needs to be
ported to Xenial Kernel
Status in linux package in Ubuntu:
Confirmed
Bug description:
The following changes was pulled into atleast the Ubuntu Xenail Kernel
release.
http://kernel.ubuntu.com/git/kernel-ppa/mirror/ubuntu-xenial.git/commit/mm?id=b56d2a75e1daae6ff6eedfb732eadf3c13df6090
From b56d2a75e1daae6ff6eedfb732eadf3c13df6090 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <[email protected]>
Date: Mon, 17 Oct 2016 17:29:48 -0500
Subject: UBUNTU: SAUCE: mm: remove gup_flags FOLL_WRITE games from
__get_user_pages()
This is an ancient bug that was actually attrempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can once
more try to fix it by checking the pte_dirty() bit properly (and do it
better). Also, the VM has become more scalable, and what was a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Cc: Willy Tarreau <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
Cc: Nick Piggin <[email protected]>
Cc: Greg Thelen <[email protected]>
Cc: [email protected]
Signed-off-by: Linus Torvalds <[email protected]>
CVE-2016-5195
However this change introduced a bug in the kernel memory manager, in which
syscalls can end up in an infinite loop when transparent huge pages are
enabled. See the following Commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/mm/huge_memory.c?id=8310d48b125d19fcd9521d83b8293e63eb1646aa
This fix has not been ported to the Xenial kernel, and thus the infinite loop
issue is hitting certain machines quite often. Example of bug hitting:
http://www.mail-archive.com/[email protected]/msg03851.html
Kernel Info: Linux Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-51-generic x86_64)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1660518/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
