userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size - BMC/Intel-BMC/linux.git - Intel OpenBMC Linux kernel source tree (mirror)

diff options

author	Andrea Arcangeli <aarcange@redhat.com>	2017-11-03 01:59:29 +0300
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-11-03 17:39:19 +0300
commit	1e3921471354244f70fe268586ff94a97a6dd4df (patch)
tree	d103a318db6e2d238365ff0e585dc56fd1962b1d /fs/proc
parent	5cb0512c02ecd7e6214e912e4c150f4219ac78e0 (diff)
download	linux-1e3921471354244f70fe268586ff94a97a6dd4df.tar.xz

userfaultfd: hugetlbfs: prevent UFFDIO_COPY to fill beyond the end of i_size

This oops: kernel BUG at fs/hugetlbfs/inode.c:484! RIP: remove_inode_hugepages+0x3d0/0x410 Call Trace: hugetlbfs_setattr+0xd9/0x130 notify_change+0x292/0x410 do_truncate+0x65/0xa0 do_sys_ftruncate.constprop.3+0x11a/0x180 SyS_ftruncate+0xe/0x10 tracesys+0xd9/0xde was caused by the lack of i_size check in hugetlb_mcopy_atomic_pte. mmap() can still succeed beyond the end of the i_size after vmtruncate zapped vmas in those ranges, but the faults must not succeed, and that includes UFFDIO_COPY. We could differentiate the retval to userland to represent a SIGBUS like a page fault would do (vs SIGSEGV), but it doesn't seem very useful and we'd need to pick a random retval as there's no meaningful syscall retval that would differentiate from SIGSEGV and SIGBUS, there's just -EFAULT. Link: http://lkml.kernel.org/r/20171016223914.2421-2-aarcange@redhat.com Signed-off-by: Andrea Arcangeli <aarcange@redhat.com> Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com> Cc: Mike Rapoport <rppt@linux.vnet.ibm.com> Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'fs/proc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: