From patchwork Thu Apr 21 06:27:04 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 8896391 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 9EF039F39A for ; Thu, 21 Apr 2016 06:29:09 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id BB9FA20121 for ; Thu, 21 Apr 2016 06:29:08 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E0D4F2011E for ; Thu, 21 Apr 2016 06:29:07 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1at855-0004ge-5J; Thu, 21 Apr 2016 06:27:15 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1at853-0004gN-Qw for xen-devel@lists.xenproject.org; Thu, 21 Apr 2016 06:27:13 +0000 Received: from [85.158.137.68] by server-15.bemta-3.messagelabs.com id 5C/41-03172-0C278175; Thu, 21 Apr 2016 06:27:12 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphkeJIrShJLcpLzFFi42LpdPzhpbu/SCL c4MB2dYvvWyYzOTB6HP5whSWAMYo1My8pvyKBNePwnZWsBY9EKs7sqmpg3CDUxcjJISSQJ/H+ 70ZGEJtXwE7iy/9uNhBbQsBQYt/8VWA2i4CqxOTH/8FsNgF1ibZn21lBbBEBS4lFf5azdDFyc TALnGeUuPL7DTNIQhgo8fvkJaChHEBDBSX+7hAGCTMLaEk8/HWLBcLWlli28DUzSAmzgLTE8n 8cExh5ZiE0zELSMAtJwyyEhgWMLKsY1YtTi8pSi3TN9JKKMtMzSnITM3N0DQ2M9XJTi4sT01N zEpOK9ZLzczcxAkOpnoGBcQfjlTbnQ4ySHExKoryz8iXChfiS8lMqMxKLM+KLSnNSiw8xynBw KEnw3i4EygkWpaanVqRl5gCDGiYtwcGjJMJrAgxsId7igsTc4sx0iNQpRkUpcd41IH0CIImM0 jy4NlgkXWKUlRLmZWRgYBDiKUgtys0sQZV/xSjOwagkzKsAMp4nM68EbvoroMVMQIv574qCLC 5JREhJNTDG5hooJ4Vsuc1dELeP3TH7tdNLK/+/u8rij13fKf/HLc/v8c0tvBp//7u1hy19X8X wlyUyXzcoe5/U0zcL2DfPZ5nC7fbgk0bjrK7CY+yPjszJmLZnu2/KkqMZuk/eaN1YP+muFWNt 06kJTIb3lLhr3XW5DOac+5PmpfNv3cStD2+cmxOyKkZNiaU4I9FQi7moOBEAjYDz2J8CAAA= X-Env-Sender: JBeulich@suse.com X-Msg-Ref: server-13.tower-31.messagelabs.com!1461220029!35464996!1 X-Originating-IP: [137.65.248.74] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 8.28; banners=-,-,- X-VirusChecked: Checked Received: (qmail 40525 invoked from network); 21 Apr 2016 06:27:11 -0000 Received: from prv-mh.provo.novell.com (HELO prv-mh.provo.novell.com) (137.65.248.74) by server-13.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 21 Apr 2016 06:27:11 -0000 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Thu, 21 Apr 2016 00:27:08 -0600 Message-Id: <57188ED802000078000E431C@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.0 Date: Thu, 21 Apr 2016 00:27:04 -0600 From: "Jan Beulich" To: ,, Mime-Version: 1.0 Content-Disposition: inline Cc: Juergen Gross , xen-devel , Boris Ostrovsky , David Vrabel , linux-kernel@vger.kernel.org Subject: [Xen-devel] [PATCH] x86/xen: suppress hugetlbfs in PV guests X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Huge pages are not normally available to PV guests. Not suppressing hugetlbfs use results in an endless loop of page faults when user mode code tries to access a hugetlbfs mapped area (since the hypervisor denies such PTEs to be created, but error indications can't be propagated out of xen_set_pte_at(), just like for various of its siblings), and - once killed in an oops like this: kernel BUG at .../fs/hugetlbfs/inode.c:428! invalid opcode: 0000 [#1] SMP Modules linked in: ... Supported: Yes CPU: 2 PID: 6088 Comm: hugetlbfs Tainted: G W 4.4.0-2016-01-20-pv #2 Hardware name: ... task: ffff8808059205c0 ti: ffff880803c84000 task.ti: ffff880803c84000 RIP: e030:[] [] remove_inode_hugepages+0x25b/0x320 RSP: e02b:ffff880803c879a8 EFLAGS: 00010202 RAX: 000000000077a4db RBX: ffffea001acff000 RCX: 0000000078417d38 RDX: 0000000000000000 RSI: 000000007e154fa7 RDI: ffff880805d70960 RBP: 0000000000000960 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffff880807486018 R14: 0000000000000000 R15: ffff880803c87af0 FS: 00007f85fa8b8700(0000) GS:ffff88080b640000(0000) knlGS:0000000000000000 CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 00007f85fa000000 CR3: 0000000001a0a000 CR4: 0000000000040660 Stack: ffff880000000fb0 ffff880803c87a18 ffff880803c87ae8 ffff8808059205c0 ffff880803c87af0 ffff880803c87ae8 ffff880807486018 0000000000000000 ffffffff81bf6e60 ffff880807486168 000003ffffffffff 0000000003c87758 Call Trace: [] hugetlbfs_evict_inode+0x15/0x40 [] evict+0xbd/0x1b0 [] __dentry_kill+0x19a/0x1f0 [] dput+0x1fe/0x220 [] __fput+0x155/0x200 [] task_work_run+0x60/0xa0 [] do_exit+0x160/0x400 [] do_group_exit+0x3b/0xa0 [] get_signal+0x1ed/0x470 [] do_signal+0x14/0x110 [] prepare_exit_to_usermode+0xe9/0xf0 [] retint_user+0x8/0x13 This is CVE-2016-3961 / XSA-174. Reported-by: Vitaly Kuznetsov Signed-off-by: Jan Beulich Cc: stable@vger.kernel.org --- arch/x86/include/asm/hugetlb.h | 1 + 1 file changed, 1 insertion(+) --- 4.6-rc4/arch/x86/include/asm/hugetlb.h +++ 4.6-rc4-xsa174/arch/x86/include/asm/hugetlb.h @@ -4,6 +4,7 @@ #include #include +#define hugepages_supported() cpu_has_pse static inline int is_hugepage_only_range(struct mm_struct *mm, unsigned long addr,