From: Eugene Teo <eteo@redhat.com> Date: Thu, 7 Aug 2008 18:16:26 +0800 Subject: [mm] tmpfs: restore missing clear_highpage Message-id: 20080807101626.GA26686@kernel.sg O-Subject: [RHEL5.3 PATCH] BZ#426083 tmpfs: restore missing clear_highpage Bugzilla: 426083 RH-Acked-by: Larry Woodman <lwoodman@redhat.com> CVE: CVE-2007-6417 This is for bz#426083 (CVE-2007-6417). Backport of upstream commit e84e2e132c9c66d8498e7710d4ea532d1feaaac5 tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in which shmem_getpage receives the page from its caller instead of allocating. We must cover this case by clear_highpage before SetPageUptodate, as before. Brew build: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1423868 Test status: Booted on x86_64. No reproducer for testing this. Signed-off-by: Eugene Teo <eteo@redhat.com> diff --git a/mm/shmem.c b/mm/shmem.c index bf9d09a..1a19c20 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -1040,7 +1040,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem_inode_info *info, pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx); pvma.vm_pgoff = idx; pvma.vm_end = PAGE_SIZE; - page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0); + page = alloc_page_vma(gfp, &pvma, 0); mpol_free(pvma.vm_policy); return page; } @@ -1060,7 +1060,7 @@ shmem_swapin(struct shmem_inode_info *info,swp_entry_t entry,unsigned long idx) static inline struct page * shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx) { - return alloc_page(gfp | __GFP_ZERO); + return alloc_page(gfp); } #endif @@ -1269,6 +1269,7 @@ repeat: info->alloced++; spin_unlock(&info->lock); + clear_highpage(filepage); flush_dcache_page(filepage); SetPageUptodate(filepage); }