Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751679AbcDUG1L (ORCPT <rfc822;w@1wt.eu>);
	Thu, 21 Apr 2016 02:27:11 -0400
Received: from prv-mh.provo.novell.com ([137.65.248.74]:58844 "EHLO
	prv-mh.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751172AbcDUG1K convert rfc822-to-8bit (ORCPT
	<rfc822;groupwise-linux-kernel@vger.kernel.org:7:1>);
	Thu, 21 Apr 2016 02:27:10 -0400
Message-Id: <57188ED802000078000E431C@prv-mh.provo.novell.com>
X-Mailer: Novell GroupWise Internet Agent 14.2.0 
Date: Thu, 21 Apr 2016 00:27:04 -0600
From: "Jan Beulich" <JBeulich@suse.com>
To: <mingo@elte.hu>, <tglx@linutronix.de>, <hpa@zytor.com>
Cc: "David Vrabel" <david.vrabel@citrix.com>,
        "xen-devel" <xen-devel@lists.xenproject.org>,
        "Boris Ostrovsky" <boris.ostrovsky@oracle.com>,
        "Juergen Gross" <JGross@suse.com>, <linux-kernel@vger.kernel.org>
Subject: [PATCH] x86/xen: suppress hugetlbfs in PV guests
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8BIT
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2643
Lines: 63

Huge pages are not normally available to PV guests. Not suppressing
hugetlbfs use results in an endless loop of page faults when user mode
code tries to access a hugetlbfs mapped area (since the hypervisor
denies such PTEs to be created, but error indications can't be
propagated out of xen_set_pte_at(), just like for various of its
siblings), and - once killed in an oops like this:

kernel BUG at .../fs/hugetlbfs/inode.c:428!
invalid opcode: 0000 [#1] SMP 
Modules linked in: ...
Supported: Yes
CPU: 2 PID: 6088 Comm: hugetlbfs Tainted: G        W         4.4.0-2016-01-20-pv #2
Hardware name: ...
task: ffff8808059205c0 ti: ffff880803c84000 task.ti: ffff880803c84000
RIP: e030:[<ffffffff811c333b>]  [<ffffffff811c333b>] remove_inode_hugepages+0x25b/0x320
RSP: e02b:ffff880803c879a8  EFLAGS: 00010202
RAX: 000000000077a4db RBX: ffffea001acff000 RCX: 0000000078417d38
RDX: 0000000000000000 RSI: 000000007e154fa7 RDI: ffff880805d70960
RBP: 0000000000000960 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff880807486018 R14: 0000000000000000 R15: ffff880803c87af0
FS:  00007f85fa8b8700(0000) GS:ffff88080b640000(0000) knlGS:0000000000000000
CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f85fa000000 CR3: 0000000001a0a000 CR4: 0000000000040660
Stack:
 ffff880000000fb0 ffff880803c87a18 ffff880803c87ae8 ffff8808059205c0
 ffff880803c87af0 ffff880803c87ae8 ffff880807486018 0000000000000000
 ffffffff81bf6e60 ffff880807486168 000003ffffffffff 0000000003c87758
Call Trace:
 [<ffffffff811c3415>] hugetlbfs_evict_inode+0x15/0x40
 [<ffffffff81167b3d>] evict+0xbd/0x1b0
 [<ffffffff8116514a>] __dentry_kill+0x19a/0x1f0
 [<ffffffff81165b0e>] dput+0x1fe/0x220
 [<ffffffff81150535>] __fput+0x155/0x200
 [<ffffffff81079fc0>] task_work_run+0x60/0xa0
 [<ffffffff81063510>] do_exit+0x160/0x400
 [<ffffffff810637eb>] do_group_exit+0x3b/0xa0
 [<ffffffff8106e8bd>] get_signal+0x1ed/0x470
 [<ffffffff8100f854>] do_signal+0x14/0x110
 [<ffffffff810030e9>] prepare_exit_to_usermode+0xe9/0xf0
 [<ffffffff814178a5>] retint_user+0x8/0x13

This is CVE-2016-3961 / XSA-174.

Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Cc: stable@vger.kernel.org 
---
 arch/x86/include/asm/hugetlb.h |    1 +
 1 file changed, 1 insertion(+)

--- 4.6-rc4/arch/x86/include/asm/hugetlb.h
+++ 4.6-rc4-xsa174/arch/x86/include/asm/hugetlb.h
@@ -4,6 +4,7 @@
 #include <asm/page.h>
 #include <asm-generic/hugetlb.h>
 
+#define hugepages_supported() cpu_has_pse
 
 static inline int is_hugepage_only_range(struct mm_struct *mm,
 					 unsigned long addr,