-
Linus Torvalds authored
This is an ancient bug that was actually attrempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9 ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f4 ("fix get_user_pages bug"). In the meantime, the s390 situation has long been fixed, and we can once more try to fix it by checking the pte_dirty() bit properly (and do it better). Also, the VM has become more scalable, and what was a purely theoretical race back then has become easier to trigger. To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, we already did a COW" rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid. Reported-and-tested-by:
Phil "not Paul" Oester <kernel@linuxace.com> Cc: Michal Hocko <mhocko@kernel.org> Cc: Andy Lutomirski <luto@kernel.org> Cc: Kees Cook <keescook@chromium.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Willy Tarreau <w@1wt.eu> Acked-by:
Hugh Dickins <hughd@google.com> Cc: Nick Piggin <npiggin@gmail.com> Cc: Greg Thelen <gthelen@google.com> Cc: stable@vger.kernel.org Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> CVE-2016-5195 [ saf: Adjust context for missing FOLL_REMOTE ] Signed-off-by:
Seth Forshee <seth.forshee@canonical.com> Acked-by:
Andy Whitcroft <andy.whitcroft@canonical.com> Acked-by:
Stefan Bader <stefan.bader@canonical.com> Signed-off-by:
b56d2a75
