Ubuntu
linux package

"mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" needs to be ported to Xenial Kernel

Bug #1660518 reported by Brian G.
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
High
Unassigned

Bug Description

The following changes was pulled into atleast the Ubuntu Xenail Kernel release.
http://kernel.ubuntu.com/git/kernel-ppa/mirror/ubuntu-xenial.git/commit/mm?id=b56d2a75e1daae6ff6eedfb732eadf3c13df6090

From b56d2a75e1daae6ff6eedfb732eadf3c13df6090 Mon Sep 17 00:00:00 2001
From: Linus Torvalds <email address hidden>
Date: Mon, 17 Oct 2016 17:29:48 -0500
Subject: UBUNTU: SAUCE: mm: remove gup_flags FOLL_WRITE games from
 __get_user_pages()

This is an ancient bug that was actually attrempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can once
more try to fix it by checking the pte_dirty() bit properly (and do it
better). Also, the VM has become more scalable, and what was a purely
theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.

Reported-and-tested-by: Phil "not Paul" Oester <email address hidden>
Cc: Michal Hocko <email address hidden>
Cc: Andy Lutomirski <email address hidden>
Cc: Kees Cook <email address hidden>
Cc: Oleg Nesterov <email address hidden>
Cc: Willy Tarreau <w@1wt.eu>
Acked-by: Hugh Dickins <email address hidden>
Cc: Nick Piggin <email address hidden>
Cc: Greg Thelen <email address hidden>
Cc: <email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>

CVE-2016-5195

However this change introduced a bug in the kernel memory manager, in which syscalls can end up in an infinite loop when transparent huge pages are enabled. See the following Commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/mm/huge_memory.c?id=8310d48b125d19fcd9521d83b8293e63eb1646aa

This fix has not been ported to the Xenial kernel, and thus the infinite loop issue is hitting certain machines quite often. Example of bug hitting: http://<email address hidden>/msg03851.html

Kernel Info: Linux Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-51-generic x86_64)

Brian G. (b-gianfo)
summary: "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp" needs to be
- ported to Xenail Kernel
+ ported to Xenial Kernel
tags: added: kernel-bug xenial
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1660518

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Andy Whitcroft (apw)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.