mm: do not collapse stack gap into THP

Oleg has noticed that khugepaged will happilly collapse stack vma (as
long as it is not an early stack - see is_vma_temporary_stack) and
it might effectively remove the stack gap area as well because a larger
part of the stack vma is usually populated. The same applies to the
page fault handler.

Fix this by checking stack_guard_area when revalidating a VMA
in hugepage_vma_revalidate.  We do not want to hook/replace
is_vma_temporary_stack() check because THP might be still useful for
stack, all we need is excluding the gap from collapsing into a THP.

Also check the to-be-created THP in do_huge_pmd_anonymous_page to
make sure it is completely outside of the gap area because we we could
create THP covering the gap area.

CVE-2017-1000364
Noticed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
[move khugepaged.c code into huge_memory.c]
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

mm/huge_memory.c

@@ -815,6 +815,9 @@ int do_huge_pmd_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
 
 	if (haddr < vma->vm_start || haddr + HPAGE_PMD_SIZE > vma->vm_end)
 		return VM_FAULT_FALLBACK;
+	if (stack_guard_area(vma, haddr) ||
+			stack_guard_area(vma, haddr + HPAGE_PMD_SIZE))
+		return VM_FAULT_FALLBACK;
 	if (unlikely(anon_vma_prepare(vma)))
 		return VM_FAULT_OOM;
 	if (unlikely(khugepaged_enter(vma, vma->vm_flags)))
@@ -2561,6 +2564,9 @@ static void collapse_huge_page(struct mm_struct *mm,
 		goto out;
 	if (!hugepage_vma_check(vma))
 		goto out;
+	/* never try to collapse stack gap */
+	if (stack_guard_area(vma, hstart) || stack_guard_area(vma, hend))
+		goto out;
 	pmd = mm_find_pmd(mm, address);
 	if (!pmd)
 		goto out;