From: Eugene Teo <eteo@redhat.com>
Date: Thu, 7 Aug 2008 18:16:26 +0800
Subject:  [mm] tmpfs: restore missing clear_highpage
Message-id: 20080807101626.GA26686@kernel.sg
O-Subject: [RHEL5.3 PATCH] BZ#426083 tmpfs: restore missing clear_highpage
Bugzilla: 426083
RH-Acked-by: Larry Woodman <lwoodman@redhat.com>
CVE: CVE-2007-6417

This is for bz#426083 (CVE-2007-6417).

Backport of upstream commit e84e2e132c9c66d8498e7710d4ea532d1feaaac5

tmpfs was misconverted to __GFP_ZERO in 2.6.11.  There's an unusual case in
which shmem_getpage receives the page from its caller instead of allocating.
We must cover this case by clear_highpage before SetPageUptodate, as before.

Brew build:
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1423868

Test status:
Booted on x86_64. No reproducer for testing this.

Signed-off-by: Eugene Teo <eteo@redhat.com>

diff --git a/mm/shmem.c b/mm/shmem.c
index bf9d09a..1a19c20 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1040,7 +1040,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem_inode_info *info,
 	pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx);
 	pvma.vm_pgoff = idx;
 	pvma.vm_end = PAGE_SIZE;
-	page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0);
+	page = alloc_page_vma(gfp, &pvma, 0);
 	mpol_free(pvma.vm_policy);
 	return page;
 }
@@ -1060,7 +1060,7 @@ shmem_swapin(struct shmem_inode_info *info,swp_entry_t entry,unsigned long idx)
 static inline struct page *
 shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx)
 {
-	return alloc_page(gfp | __GFP_ZERO);
+	return alloc_page(gfp);
 }
 #endif
 
@@ -1269,6 +1269,7 @@ repeat:
 
 		info->alloced++;
 		spin_unlock(&info->lock);
+		clear_highpage(filepage);
 		flush_dcache_page(filepage);
 		SetPageUptodate(filepage);
 	}