Issue metadata
Sign in to add a comment
|
Security: CVE-2015-3288 |
||||||||||||||||||||||
Issue descriptionAdvisory: CVE-2015-3288 Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3288 CVSS severity score: 5.9/10.0 Description: mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero.
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/78faef8c8409710a0e3c046d429dc64ffdf31897 commit 78faef8c8409710a0e3c046d429dc64ffdf31897 Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I2be8d168721864b0d16d5762b1b4dce59f99df14 Reviewed-on: https://chromium-review.googlesource.com/426089 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/78faef8c8409710a0e3c046d429dc64ffdf31897/mm/memory.c
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a61fa714c08210ae0439f7c216d3f4597918bed5 commit a61fa714c08210ae0439f7c216d3f4597918bed5 Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I2be8d168721864b0d16d5762b1b4dce59f99df14 Reviewed-on: https://chromium-review.googlesource.com/425792 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/a61fa714c08210ae0439f7c216d3f4597918bed5/mm/memory.c
,
Jan 11 2017
,
Jan 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b8de00e1aab5008f186853f9608089c8c0b13a02 commit b8de00e1aab5008f186853f9608089c8c0b13a02 Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: Icdca9048f80f6d7201b6d9887c58cbb750ffb721 Reviewed-on: https://chromium-review.googlesource.com/425791 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/b8de00e1aab5008f186853f9608089c8c0b13a02/mm/memory.c
,
Jan 12 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 13 2017
,
Jan 13 2017
3.8 is still pending.
,
Jan 13 2017
,
Jan 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/337c1a2fff78bed510dddcb6490b99fc4913527d commit 337c1a2fff78bed510dddcb6490b99fc4913527d Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I2be8d168721864b0d16d5762b1b4dce59f99df14 Reviewed-on: https://chromium-review.googlesource.com/426090 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/337c1a2fff78bed510dddcb6490b99fc4913527d/mm/memory.c
,
Jan 14 2017
,
Jan 15 2017
Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL to branch 2924 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 17 2017
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c33ab527e798d8b6b7ef541c889fade58b841434 commit c33ab527e798d8b6b7ef541c889fade58b841434 Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I2be8d168721864b0d16d5762b1b4dce59f99df14 Reviewed-on: https://chromium-review.googlesource.com/426089 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit 78faef8c8409710a0e3c046d429dc64ffdf31897) Reviewed-on: https://chromium-review.googlesource.com/428443 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/c33ab527e798d8b6b7ef541c889fade58b841434/mm/memory.c
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4d1b305e95d1ad2d5d47e98f3c627188ebb66bde commit 4d1b305e95d1ad2d5d47e98f3c627188ebb66bde Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I2be8d168721864b0d16d5762b1b4dce59f99df14 Reviewed-on: https://chromium-review.googlesource.com/426090 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit 337c1a2fff78bed510dddcb6490b99fc4913527d) Reviewed-on: https://chromium-review.googlesource.com/428444 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/4d1b305e95d1ad2d5d47e98f3c627188ebb66bde/mm/memory.c
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4d1b305e95d1ad2d5d47e98f3c627188ebb66bde commit 4d1b305e95d1ad2d5d47e98f3c627188ebb66bde Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I2be8d168721864b0d16d5762b1b4dce59f99df14 Reviewed-on: https://chromium-review.googlesource.com/426090 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit 337c1a2fff78bed510dddcb6490b99fc4913527d) Reviewed-on: https://chromium-review.googlesource.com/428444 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/4d1b305e95d1ad2d5d47e98f3c627188ebb66bde/mm/memory.c
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e4705ed72ec0d0825dd8d93d098f48b4398b937b commit e4705ed72ec0d0825dd8d93d098f48b4398b937b Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: I2be8d168721864b0d16d5762b1b4dce59f99df14 Reviewed-on: https://chromium-review.googlesource.com/425792 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit a61fa714c08210ae0439f7c216d3f4597918bed5) Reviewed-on: https://chromium-review.googlesource.com/428446 Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/e4705ed72ec0d0825dd8d93d098f48b4398b937b/mm/memory.c
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cedc783822d2ff1f67b56cd0e565a4183737f575 commit cedc783822d2ff1f67b56cd0e565a4183737f575 Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: Icdca9048f80f6d7201b6d9887c58cbb750ffb721 Reviewed-on: https://chromium-review.googlesource.com/425791 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit b8de00e1aab5008f186853f9608089c8c0b13a02) Reviewed-on: https://chromium-review.googlesource.com/428447 Commit-Queue: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/cedc783822d2ff1f67b56cd0e565a4183737f575/mm/memory.c
,
Jan 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/cedc783822d2ff1f67b56cd0e565a4183737f575 commit cedc783822d2ff1f67b56cd0e565a4183737f575 Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Date: Mon Jul 06 20:18:37 2015 BACKPORT: mm: avoid setting up anonymous pages into file mapping Reading page fault handler code I've noticed that under right circumstances kernel would map anonymous pages into file mappings: if the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated on ->mmap(), kernel would handle page fault to not populated pte with do_anonymous_page(). Let's change page fault handler to use do_anonymous_page() only on anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not shared. For file mappings without vm_ops->fault() or shred VMA without vm_ops, page fault on pte_none() entry would lead to SIGBUS. BUG= chromium:679484 TEST=Build image and test normal operation Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Willy Tarreau <w@1wt.eu> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) Signed-off-by: Guenter Roeck <groeck@chromium.org> Change-Id: Icdca9048f80f6d7201b6d9887c58cbb750ffb721 Reviewed-on: https://chromium-review.googlesource.com/425791 Commit-Ready: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit b8de00e1aab5008f186853f9608089c8c0b13a02) Reviewed-on: https://chromium-review.googlesource.com/428447 Commit-Queue: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/cedc783822d2ff1f67b56cd0e565a4183737f575/mm/memory.c
,
Jan 17 2017
,
Feb 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/29d7a7846becacc8af7e0cd3bff1e9d2c0804fe7 commit 29d7a7846becacc8af7e0cd3bff1e9d2c0804fe7 Author: Guenter Roeck <groeck@chromium.org> Date: Tue Feb 07 14:48:46 2017 Revert "BACKPORT: mm: avoid setting up anonymous pages into file mapping" This reverts commit cedc783822d2ff1f67b56cd0e565a4183737f575. Reason for revert: The patch causes older versions of Chrome (the version available in R56) to crash. Original change's description: > BACKPORT: mm: avoid setting up anonymous pages into file mapping > > Reading page fault handler code I've noticed that under right > circumstances kernel would map anonymous pages into file mappings: if > the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated > on ->mmap(), kernel would handle page fault to not populated pte with > do_anonymous_page(). > > Let's change page fault handler to use do_anonymous_page() only on > anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not > shared. > > For file mappings without vm_ops->fault() or shred VMA without vm_ops, > page fault on pte_none() entry would lead to SIGBUS. > > BUG= chromium:679484 > TEST=Build image and test normal operation > > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> > Acked-by: Oleg Nesterov <oleg@redhat.com> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Willy Tarreau <w@1wt.eu> > Cc: stable@vger.kernel.org > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) > Signed-off-by: Guenter Roeck <groeck@chromium.org> > > Change-Id: Icdca9048f80f6d7201b6d9887c58cbb750ffb721 > Reviewed-on: https://chromium-review.googlesource.com/425791 > Commit-Ready: Guenter Roeck <groeck@chromium.org> > Tested-by: Guenter Roeck <groeck@chromium.org> > Reviewed-by: Guenter Roeck <groeck@chromium.org> > (cherry picked from commit b8de00e1aab5008f186853f9608089c8c0b13a02) > Reviewed-on: https://chromium-review.googlesource.com/428447 > Commit-Queue: Guenter Roeck <groeck@chromium.org> > TBR=groeck@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. BUG= chromium:679484 , chrome-os-partner:62262 TEST=Resize window in Chrome hangout session without crash Change-Id: Ic0f1efc8dcfa2d435a6e04962b1f6e15b66379a2 Signed-off-by: Guenter Roeck <groeck@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/438818 [modify] https://crrev.com/29d7a7846becacc8af7e0cd3bff1e9d2c0804fe7/mm/memory.c
,
Feb 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8bc6aca7469c4bb362c0ac2b1bc962cd188e68fb commit 8bc6aca7469c4bb362c0ac2b1bc962cd188e68fb Author: Guenter Roeck <groeck@chromium.org> Date: Sat Feb 11 06:53:00 2017 Revert "Revert "BACKPORT: mm: avoid setting up anonymous pages into file mapping"" This reverts commit 29d7a7846becacc8af7e0cd3bff1e9d2c0804fe7. Reason for revert: The underlying problem has been merged into R56 as per the bug report. Original change's description: > Revert "BACKPORT: mm: avoid setting up anonymous pages into file mapping" > > This reverts commit cedc783822d2ff1f67b56cd0e565a4183737f575. > > Reason for revert: The patch causes older versions of Chrome (the version available in R56) to crash. > > Original change's description: > > BACKPORT: mm: avoid setting up anonymous pages into file mapping > > > > Reading page fault handler code I've noticed that under right > > circumstances kernel would map anonymous pages into file mappings: if > > the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated > > on ->mmap(), kernel would handle page fault to not populated pte with > > do_anonymous_page(). > > > > Let's change page fault handler to use do_anonymous_page() only on > > anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not > > shared. > > > > For file mappings without vm_ops->fault() or shred VMA without vm_ops, > > page fault on pte_none() entry would lead to SIGBUS. > > > > BUG= chromium:679484 > > TEST=Build image and test normal operation > > > > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> > > Acked-by: Oleg Nesterov <oleg@redhat.com> > > Cc: Andrew Morton <akpm@linux-foundation.org> > > Cc: Willy Tarreau <w@1wt.eu> > > Cc: stable@vger.kernel.org > > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d) > > Signed-off-by: Guenter Roeck <groeck@chromium.org> > > > > Change-Id: Icdca9048f80f6d7201b6d9887c58cbb750ffb721 > > Reviewed-on: https://chromium-review.googlesource.com/425791 > > Commit-Ready: Guenter Roeck <groeck@chromium.org> > > Tested-by: Guenter Roeck <groeck@chromium.org> > > Reviewed-by: Guenter Roeck <groeck@chromium.org> > > (cherry picked from commit b8de00e1aab5008f186853f9608089c8c0b13a02) > > Reviewed-on: https://chromium-review.googlesource.com/428447 > > Commit-Queue: Guenter Roeck <groeck@chromium.org> > > > > TBR=groeck@chromium.org > # Not skipping CQ checks because original CL landed > 1 day ago. > BUG= chromium:679484 , chrome-os-partner:62262 > TEST=Resize window in Chrome hangout session without crash > > Change-Id: Ic0f1efc8dcfa2d435a6e04962b1f6e15b66379a2 > Signed-off-by: Guenter Roeck <groeck@chromium.org> > Reviewed-on: https://chromium-review.googlesource.com/438818 > TBR=groeck@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. BUG= chromium:679484 , chrome-os-partner:62262 Change-Id: I8fdfb6e1e5e134ec9c309cf2cc08dcd936b0a63e Reviewed-on: https://chromium-review.googlesource.com/439718 Trybot-Ready: Guenter Roeck <groeck@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Commit-Queue: Guenter Roeck <groeck@chromium.org> Tested-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/8bc6aca7469c4bb362c0ac2b1bc962cd188e68fb/mm/memory.c
,
Apr 23 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Jan 9 2017