[PATCH] x86/xen: suppress hugetlbfs in PV guests

From: Jan Beulich
Date: Thu Apr 21 2016 - 02:27:15 EST

Next message: Vinay Simha BN: "[PATCH v3] drm/dsi: Implement set tear scanline"
Previous message: Takashi Iwai: "Re: Sound: BUG: KASAN: use-after-free in kill_fasync"
Next in thread: tip-bot for Jan Beulich: "[tip:x86/asm] x86/mm/xen: Suppress hugetlbfs in PV guests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Huge pages are not normally available to PV guests. Not suppressing
hugetlbfs use results in an endless loop of page faults when user mode
code tries to access a hugetlbfs mapped area (since the hypervisor
denies such PTEs to be created, but error indications can't be
propagated out of xen_set_pte_at(), just like for various of its
siblings), and - once killed in an oops like this:

kernel BUG at .../fs/hugetlbfs/inode.c:428!
invalid opcode: 0000 [#1] SMP
Modules linked in: ...
Supported: Yes
CPU: 2 PID: 6088 Comm: hugetlbfs Tainted: G W 4.4.0-2016-01-20-pv #2
Hardware name: ...
task: ffff8808059205c0 ti: ffff880803c84000 task.ti: ffff880803c84000
RIP: e030:[<ffffffff811c333b>] [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320
RSP: e02b:ffff880803c879a8 EFLAGS: 00010202
RAX: 000000000077a4db RBX: ffffea001acff000 RCX: 0000000078417d38
RDX: 0000000000000000 RSI: 000000007e154fa7 RDI: ffff880805d70960
RBP: 0000000000000960 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff880807486018 R14: 0000000000000000 R15: ffff880803c87af0
FS: 00007f85fa8b8700(0000) GS:ffff88080b640000(0000) knlGS:0000000000000000
CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f85fa000000 CR3: 0000000001a0a000 CR4: 0000000000040660
Stack:
ffff880000000fb0 ffff880803c87a18 ffff880803c87ae8 ffff8808059205c0
ffff880803c87af0 ffff880803c87ae8 ffff880807486018 0000000000000000
ffffffff81bf6e60 ffff880807486168 000003ffffffffff 0000000003c87758
Call Trace:
[<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40
[<ffffffff81167b3d>] evict+0xbd/0x1b0
[<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0
[<ffffffff81165b0e>] dput+0x1fe/0x220
[<ffffffff81150535>] __fput+0x155/0x200
[<ffffffff81079fc0>] task_work_run+0x60/0xa0
[<ffffffff81063510>] do_exit+0x160/0x400
[<ffffffff810637eb>] do_group_exit+0x3b/0xa0
[<ffffffff8106e8bd>] get_signal+0x1ed/0x470
[<ffffffff8100f854>] do_signal+0x14/0x110
[<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0
[<ffffffff814178a5>] retint_user+0x8/0x13

This is CVE-2016-3961 / XSA-174.

Reported-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
arch/x86/include/asm/hugetlb.h | 1 +
1 file changed, 1 insertion(+)

--- 4.6-rc4/arch/x86/include/asm/hugetlb.h
+++ 4.6-rc4-xsa174/arch/x86/include/asm/hugetlb.h
@@ -4,6 +4,7 @@
#include <asm/page.h>
#include <asm-generic/hugetlb.h>

+#define hugepages_supported() cpu_has_pse

static inline int is_hugepage_only_range(struct mm_struct *mm,
unsigned long addr,

Next message: Vinay Simha BN: "[PATCH v3] drm/dsi: Implement set tear scanline"
Previous message: Takashi Iwai: "Re: Sound: BUG: KASAN: use-after-free in kill_fasync"
Next in thread: tip-bot for Jan Beulich: "[tip:x86/asm] x86/mm/xen: Suppress hugetlbfs in PV guests"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]