ACK/Cmnt: [PATCH 0/5] [Xenial] CVE-2019-10124 - hwpoison memory DoS

Stefan Bader stefan.bader at canonical.com
Wed Apr 17 14:13:39 UTC 2019 

On 02.04.19 16:52, Andrea Righi wrote:
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10124.html
> 
> When memory_failure() is called on a thp tail page after pmd is split an
> attacker can cause a denial of service (via hwpoison), triggering a
> reference counter bug, reported by VM_BUG_ON_PAGE().
> 
> The reason is that memory_failure() is always using page refcount and
> page lock from tail page to head page when calling split_huge_page(),
> but it can pass any subpage to split_huge_page(), causing a potential
> refcount / locking bug. Fix by locking and checking the proper subpage.
> 
> The fix requires backporting additional patches:
> 
>  PATCH 1/5: introduce hpage locking in memory_failure()
>  PATCH 2/5: no functional changes, only code refactoring that helps to
>             apply the next patches
>  PATCH 3/5: properly handle non anonymous thp
>  PATCH 4/5: a fix similar to the actual CVE
>  PATCH 5/5: the actual CVE
> 
> Kirill A. Shutemov (1):
>  thp, mm: split_huge_page(): caller need to lock page
> 
> Naoya Horiguchi (3):
>  mm: soft-offline: clean up soft_offline_page()
>  mm: soft-offline: exit with failure for non anonymous thp
>  mm: hwpoison: fix thp split handling in memory_failure()
> 
> zhongjiang (1):
>  mm: hwpoison: fix thp split handing in soft_offline_in_use_page()
> 
>  mm/memory-failure.c | 80 ++++++++++++++++++++++++++++++++++-------------------
>  mm/migrate.c        |  8 ++++--
>  2 files changed, 58 insertions(+), 30 deletions(-)
> 
> 
When doing backports it helps to review when you add a short hint about how hard
it was or what had to be adapted. The submitted patches still look reasonably
compact, so I assume it was mostly context adjustments.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20190417/5c63ca41/attachment-0001.sig>

More information about the kernel-team mailing list