summaryrefslogtreecommitdiffstats
path: root/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/9999-Backport-fix-for-CVE-2016-5195.patch
diff options
context:
space:
mode:
authorGerrit Code Review <gerrit@automotivelinux.org>2017-01-19 07:01:22 +0000
committerGerrit Code Review <gerrit@automotivelinux.org>2017-01-19 07:01:22 +0000
commita89b8302db0346269f4202e95ca85dbbb6f75a8e (patch)
tree873e234062fb0fcd8c71bd031bdaa217c877648c /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/9999-Backport-fix-for-CVE-2016-5195.patch
parent73e6110c6c12a875da9b6da46c8ddaaff79e3c79 (diff)
parent793d8d01d0377dad21f4e1a330f00d822eced086 (diff)
Merge "Merge branch 'chinook_fixed' into chinook" into chinook
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/9999-Backport-fix-for-CVE-2016-5195.patch')
-rw-r--r--meta-rcar-gen2/recipes-kernel/linux/linux-renesas/9999-Backport-fix-for-CVE-2016-5195.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/9999-Backport-fix-for-CVE-2016-5195.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/9999-Backport-fix-for-CVE-2016-5195.patch
new file mode 100644
index 0000000..e7a143f
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/9999-Backport-fix-for-CVE-2016-5195.patch
@@ -0,0 +1,68 @@
+From 8003e1524789537680204d44d5bf7a82561f8ba3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan-Simon=20M=C3=B6ller?= <jsmoeller@linuxfoundation.org>
+Date: Fri, 4 Nov 2016 20:58:46 +0100
+Subject: [PATCH] Backport fix for CVE-2016-5195
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jan-Simon Möller <jsmoeller@linuxfoundation.org>
+---
+ include/linux/mm.h | 1 +
+ mm/memory.c | 14 ++++++++++++--
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 3bf21c3..263b405 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1702,6 +1702,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
+ #define FOLL_HWPOISON 0x100 /* check page is hwpoisoned */
+ #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */
+ #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */
++#define FOLL_COW 0x4000 /* internal GUP flag */
+
+ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
+ void *data);
+diff --git a/mm/memory.c b/mm/memory.c
+index 48aa275..3a3f316 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1462,6 +1462,16 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
+ }
+ EXPORT_SYMBOL_GPL(zap_vma_ptes);
+
++/*
++ * FOLL_FORCE can write to even unwritable pte's, but only
++ * after we've gone through a COW cycle and they are dirty.
++ */
++static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
++{
++ return pte_write(pte) ||
++ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
++}
++
+ /**
+ * follow_page_mask - look up a page descriptor from a user-virtual address
+ * @vma: vm_area_struct mapping @address
+@@ -1569,7 +1579,7 @@ split_fallthrough:
+ }
+ if ((flags & FOLL_NUMA) && pte_numa(pte))
+ goto no_page;
+- if ((flags & FOLL_WRITE) && !pte_write(pte))
++ if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags))
+ goto unlock;
+
+ page = vm_normal_page(vma, address, pte);
+@@ -1876,7 +1886,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+ */
+ if ((ret & VM_FAULT_WRITE) &&
+ !(vma->vm_flags & VM_WRITE))
+- foll_flags &= ~FOLL_WRITE;
++ foll_flags |= FOLL_COW;
+
+ cond_resched();
+ }
+--
+2.1.4
+