linux-hardened/fs
Sasha Levin 08fa29d916 mm: fix NULL ptr deref when walking hugepages
A missing validation of the value returned by find_vma() could cause a
NULL ptr dereference when walking the pagetable.

This is triggerable from usermode by a simple user by trying to read a
page info out of /proc/pid/pagemap which doesn't exist.

Introduced by commit 025c5b2451 ("thp: optimize away unnecessary page
table locking").

Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: <stable@vger.kernel.org>		[3.4.x]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-05-29 16:22:18 -07:00
..
9p vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
adfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
affs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
afs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
autofs4 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
befs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
bfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
btrfs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
cachefiles switch touch_atime to struct path 2012-03-20 21:29:41 -04:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2012-03-28 10:01:29 -07:00
cifs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
coda vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
configfs make configfs_pin_fs() return root dentry on success 2012-03-20 21:29:48 -04:00
cramfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
debugfs debugfs: Add support to print u32 array in debugfs 2012-04-17 00:18:36 -04:00
devpts userns: Convert devpts to use kuid/kgid where appropriate 2012-05-15 14:59:26 -07:00
dlm dlm: NULL dereference on failure in kmem_cache_create() 2012-05-15 10:39:28 -05:00
ecryptfs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
efs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
exofs Merge branch 'for-linus' of git://git.open-osd.org/linux-open-osd 2012-05-28 13:10:41 -07:00
exportfs
ext2 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
ext3 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
ext4 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
fat vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
freevxfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
fscache
fuse avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
gfs2 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
hfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
hfsplus avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
hostfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
hpfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
hppfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
hugetlbfs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
isofs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
jbd jbd: Write journal superblock with WRITE_FUA after checkpointing 2012-05-15 23:34:37 +02:00
jbd2 jbd2: use GFP_NOFS for blkdev_issue_flush 2012-04-23 21:43:41 -04:00
jffs2 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
jfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
lockd lockd: fix the endianness bug 2012-04-13 13:50:52 -04:00
logfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
minix vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
ncpfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
nfs NFS client updates for Linux 3.5 2012-05-29 10:43:51 -07:00
nfs_common
nfsd Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
nilfs2 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
nls
notify fs/notify/notification.c: make subsys_initcall function static 2012-03-23 16:58:31 -07:00
ntfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
ocfs2 avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
omfs vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
openpromfs switch open-coded instances of d_make_root() to new helper 2012-03-20 21:29:35 -04:00
proc mm: fix NULL ptr deref when walking hugepages 2012-05-29 16:22:18 -07:00
pstore avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
qnx4 qnx4: new helper - try_extent() 2012-03-20 21:29:52 -04:00
qnx6 fs: initial qnx6fs addition 2012-03-20 21:29:38 -04:00
quota quota: Get rid of nested I_MUTEX_QUOTA locking subclass 2012-05-15 23:34:39 +02:00
ramfs tidy up after d_make_root() conversion 2012-03-20 21:29:37 -04:00
reiserfs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
romfs MTD merge for 3.4 2012-03-30 17:31:56 -07:00
squashfs Add an extra mount time sanity check, plus some code cleanups and bug fixes. 2012-03-28 18:05:54 -07:00
sysfs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
sysv vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
ubifs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
udf avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
ufs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
xfs avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
aio.c vfs: make AIO use the proper rw_verify_area() area helpers 2012-05-21 16:06:20 -07:00
anon_inodes.c anon_inodes: move allocation of anon_inode into ->mount() 2012-03-20 21:29:45 -04:00
attr.c userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs 2012-05-03 03:29:34 -07:00
bad_inode.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
binfmt_aout.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
binfmt_elf.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
binfmt_elf_fdpic.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
binfmt_em86.c __register_binfmt() made void 2012-03-20 21:29:46 -04:00
binfmt_flat.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
binfmt_misc.c vfs: Rename end_writeback() to clear_inode() 2012-05-06 13:43:41 +08:00
binfmt_script.c __register_binfmt() made void 2012-03-20 21:29:46 -04:00
binfmt_som.c VM: add "vm_mmap()" helper function 2012-04-20 17:29:13 -07:00
bio-integrity.c fs: remove the second argument of k[un]map_atomic() 2012-03-20 21:48:21 +08:00
bio.c bio allocation failure due to bio_get_nr_vecs() 2012-05-11 16:45:12 +02:00
block_dev.c avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
buffer.c block: don't mark buffers beyond end of disk as mapped 2012-05-11 16:42:14 +02:00
char_dev.c char_dev.c: fix up some whitespace errors 2011-12-13 11:18:17 -08:00
compat.c userns: Convert stat to return values mapped from kuids and kgids 2012-05-15 14:08:35 -07:00
compat_binfmt_elf.c
compat_ioctl.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
dcache.c mm: add a low limit to alloc_large_system_hash 2012-05-24 00:28:21 -04:00
dcookies.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
direct-io.c Restore direct_io / truncate locking API 2012-02-23 15:56:21 -08:00
drop_caches.c
eventfd.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
eventpoll.c epoll: Fix user space breakage related to EPOLLWAKEUP 2012-05-22 20:57:06 +02:00
exec.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
fcntl.c userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs 2012-05-03 03:29:34 -07:00
fhandle.c vfs: prefer ->dentry->d_sb to ->mnt->mnt_sb 2012-01-06 23:16:53 -05:00
fifo.c
file.c Merge branch 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-29 18:12:23 -07:00
file_table.c vfs: drop_file_write_access() made static 2012-03-20 21:29:32 -04:00
filesystems.c vfs: convert fs_supers to hlist 2012-01-03 22:52:39 -05:00
fs-writeback.c writeback: Avoid iput() from flusher thread 2012-05-06 13:43:41 +08:00
fs_struct.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
generic_acl.c
inode.c avoid iput() from flusher thread 2012-05-28 09:54:45 -07:00
internal.h vfs: protect remounting superblock read-only 2012-01-06 23:20:12 -05:00
ioctl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
ioprio.c userns: Use uid_eq gid_eq helpers when comparing kuids and kgids in the vfs 2012-05-03 03:29:34 -07:00
Kconfig Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2012-03-21 13:36:41 -07:00
Kconfig.binfmt C6X: add support to build with BINFMT_ELF_FDPIC 2012-05-15 09:17:34 -04:00
libfs.c vfs: make it possible to access the dentry hash/len as one 64-bit entry 2012-05-10 19:54:35 -07:00
locks.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
Makefile fs: initial qnx6fs addition 2012-03-20 21:29:38 -04:00
mbcache.c
mount.h vfs: keep list of mounts for each superblock 2012-01-06 23:20:12 -05:00
mpage.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
namei.c word-at-a-time: make the interfaces truly generic 2012-05-26 11:33:40 -07:00
namespace.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-01-08 13:21:22 -08:00
no-block.c
open.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
pipe.c pipes: add a "packetized pipe" mode for writing 2012-04-29 13:12:42 -07:00
pnode.c vfs: switch pnode.h macros to struct mount * 2012-01-03 22:57:11 -05:00
pnode.h vfs: switch pnode.h macros to struct mount * 2012-01-03 22:57:11 -05:00
posix_acl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
proc_namespace.c vfs: switch ->show_options() to struct dentry * 2012-01-06 23:19:54 -05:00
read_write.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
read_write.h
readdir.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
select.c Merge branch 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2012-03-29 18:12:23 -07:00
seq_file.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
signalfd.c epoll: ep_unregister_pollwait() can use the freed pwq->whead 2012-02-24 11:42:50 -08:00
splice.c tcp: tcp_sendpages() should call tcp_push() once 2012-04-05 19:04:27 -04:00
stack.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
stat.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2012-05-23 17:42:39 -07:00
statfs.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
super.c The following text was taken from the original review request: 2012-03-24 10:24:31 -07:00
sync.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00
timerfd.c
utimes.c
xattr.c fs/xattr.c:setxattr(): improve handling of allocation failures 2012-04-05 15:25:50 -07:00
xattr_acl.c fs: reduce the use of module.h wherever possible 2012-02-28 19:31:58 -05:00