ACK/Cmnt: [PATCH 0/5] [Xenial] CVE-2019-10124 - hwpoison memory DoS
Andrea Righi
andrea.righi at canonical.com
Wed Apr 17 14:42:25 UTC 2019
On Wed, Apr 17, 2019 at 04:13:39PM +0200, Stefan Bader wrote:
> On 02.04.19 16:52, Andrea Righi wrote:
> > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10124.html
> >
> > When memory_failure() is called on a thp tail page after pmd is split an
> > attacker can cause a denial of service (via hwpoison), triggering a
> > reference counter bug, reported by VM_BUG_ON_PAGE().
> >
> > The reason is that memory_failure() is always using page refcount and
> > page lock from tail page to head page when calling split_huge_page(),
> > but it can pass any subpage to split_huge_page(), causing a potential
> > refcount / locking bug. Fix by locking and checking the proper subpage.
> >
> > The fix requires backporting additional patches:
> >
> > PATCH 1/5: introduce hpage locking in memory_failure()
> > PATCH 2/5: no functional changes, only code refactoring that helps to
> > apply the next patches
> > PATCH 3/5: properly handle non anonymous thp
> > PATCH 4/5: a fix similar to the actual CVE
> > PATCH 5/5: the actual CVE
> >
> > Kirill A. Shutemov (1):
> > thp, mm: split_huge_page(): caller need to lock page
> >
> > Naoya Horiguchi (3):
> > mm: soft-offline: clean up soft_offline_page()
> > mm: soft-offline: exit with failure for non anonymous thp
> > mm: hwpoison: fix thp split handling in memory_failure()
> >
> > zhongjiang (1):
> > mm: hwpoison: fix thp split handing in soft_offline_in_use_page()
> >
> > mm/memory-failure.c | 80 ++++++++++++++++++++++++++++++++++-------------------
> > mm/migrate.c | 8 ++++--
> > 2 files changed, 58 insertions(+), 30 deletions(-)
> >
> >
> When doing backports it helps to review when you add a short hint about how hard
> it was or what had to be adapted. The submitted patches still look reasonably
> compact, so I assume it was mostly context adjustments.
Exactly, the "backporting" I'm mentioning were alsmost clean cherry
picks, they only require minor context adjustments.
>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
>
Thanks,
-Andrea
More information about the kernel-team
mailing list