mm/pagewalk.c: report holes in hugetlb ranges

CVE-2017-16994

This matters at least for the mincore syscall, which will otherwise copy
uninitialized memory from the page allocator to userspace.  It is
probably also a correctness error for /proc/$pid/pagemap, but I haven't
tested that.

Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has
no effect because the caller already checks for that.

This only reports holes in hugetlb ranges to callers who have specified
a hugetlb_entry callback.

This issue was found using an AFL-based fuzzer.

v2:
 - don't crash on ->pte_hole==NULL (Andrew Morton)
 - add Cc stable (Andrew Morton)

Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()")
Signed-off-by: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 373c4557d2aa362702c4c2d41288fb1e54990b7c)
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 1a41979654150f05514cd25f0da685fe397f1104..7d973f63088cb550186d498de8ca0bcc5e580273 100644 (file)
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -187,8 +187,12 @@ static int walk_hugetlb_range(unsigned long addr, unsigned long end,
        do {
                next = hugetlb_entry_end(h, addr, end);
                pte = huge_pte_offset(walk->mm, addr & hmask, sz);
-               if (pte && walk->hugetlb_entry)
+
+               if (pte)
                        err = walk->hugetlb_entry(pte, hmask, addr, next, walk);
+               else if (walk->pte_hole)
+                       err = walk->pte_hole(addr, next, walk);
+
                if (err)
                        break;
        } while (addr = next, addr != end);