On Tue, 27 Sep 2016, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > This is a note to let you know that I've just added the patch titled > > ipc/shm: fix crash if CONFIG_SHMEM is not set > > to the 4.7-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > ipc-shm-fix-crash-if-config_shmem-is-not-set.patch > and it can be found in the queue-4.7 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable@xxxxxxxxxxxxxxx> know about it. The <stable@xxxxxxxxxxxxxxx> [4.7.x] tag was mistakenly added to this commit: the commit to be fixed went into v4.8-rc1, and there is no reason to expect that it will ever be backported to 4.7.x. I don't think this change to ramfs will do any actual harm in 4.7.x, but it is rather odd to include it. Hugh > > > From 31b4beb473e3bdee1bf79db849502dcb24b5c202 Mon Sep 17 00:00:00 2001 > From: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx> > Date: Mon, 19 Sep 2016 14:44:18 -0700 > Subject: ipc/shm: fix crash if CONFIG_SHMEM is not set > > From: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx> > > commit 31b4beb473e3bdee1bf79db849502dcb24b5c202 upstream. > > Commit c01d5b300774 ("shmem: get_unmapped_area align huge page") makes > use of shm_get_unmapped_area() in shm_file_operations() unconditional to > CONFIG_MMU. > > As Tony Battersby pointed this can lead NULL-pointer dereference on > machine with CONFIG_MMU=y and CONFIG_SHMEM=n. In this case ipc/shm is > backed by ramfs which doesn't provide f_op->get_unmapped_area for > configurations with MMU. > > The solution is to provide dummy f_op->get_unmapped_area for ramfs when > CONFIG_MMU=y, which just call current->mm->get_unmapped_area(). > > Fixes: c01d5b300774 ("shmem: get_unmapped_area align huge page") > Link: http://lkml.kernel.org/r/20160912102704.140442-1-kirill.shutemov@xxxxxxxxxxxxxxx > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx> > Reported-by: Tony Battersby <tonyb@xxxxxxxxxxxxxxx> > Tested-by: Tony Battersby <tonyb@xxxxxxxxxxxxxxx> > Cc: Hugh Dickins <hughd@xxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > --- > fs/ramfs/file-mmu.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > --- a/fs/ramfs/file-mmu.c > +++ b/fs/ramfs/file-mmu.c > @@ -27,9 +27,17 @@ > #include <linux/fs.h> > #include <linux/mm.h> > #include <linux/ramfs.h> > +#include <linux/sched.h> > > #include "internal.h" > > +static unsigned long ramfs_mmu_get_unmapped_area(struct file *file, > + unsigned long addr, unsigned long len, unsigned long pgoff, > + unsigned long flags) > +{ > + return current->mm->get_unmapped_area(file, addr, len, pgoff, flags); > +} > + > const struct file_operations ramfs_file_operations = { > .read_iter = generic_file_read_iter, > .write_iter = generic_file_write_iter, > @@ -38,6 +46,7 @@ const struct file_operations ramfs_file_ > .splice_read = generic_file_splice_read, > .splice_write = iter_file_splice_write, > .llseek = generic_file_llseek, > + .get_unmapped_area = ramfs_mmu_get_unmapped_area, > }; > > const struct inode_operations ramfs_file_inode_operations = { > > > Patches currently in stable-queue which might be from kirill.shutemov@xxxxxxxxxxxxxxx are > > queue-4.7/ipc-shm-fix-crash-if-config_shmem-is-not-set.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html