[PATCH 0/5] [Xenial] CVE-2019-10124 - hwpoison memory DoS

Andrea Righi andrea.righi at canonical.com
Tue Apr 2 14:52:57 UTC 2019


When memory_failure() is called on a thp tail page after pmd is split an
attacker can cause a denial of service (via hwpoison), triggering a
reference counter bug, reported by VM_BUG_ON_PAGE().

The reason is that memory_failure() is always using page refcount and
page lock from tail page to head page when calling split_huge_page(),
but it can pass any subpage to split_huge_page(), causing a potential
refcount / locking bug. Fix by locking and checking the proper subpage.

The fix requires backporting additional patches:

 PATCH 1/5: introduce hpage locking in memory_failure()
 PATCH 2/5: no functional changes, only code refactoring that helps to
            apply the next patches
 PATCH 3/5: properly handle non anonymous thp
 PATCH 4/5: a fix similar to the actual CVE
 PATCH 5/5: the actual CVE

Kirill A. Shutemov (1):
 thp, mm: split_huge_page(): caller need to lock page

Naoya Horiguchi (3):
 mm: soft-offline: clean up soft_offline_page()
 mm: soft-offline: exit with failure for non anonymous thp
 mm: hwpoison: fix thp split handling in memory_failure()

zhongjiang (1):
 mm: hwpoison: fix thp split handing in soft_offline_in_use_page()

 mm/memory-failure.c | 80 ++++++++++++++++++++++++++++++++++-------------------
 mm/migrate.c        |  8 ++++--
 2 files changed, 58 insertions(+), 30 deletions(-)

More information about the kernel-team mailing list