From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EC35C001DB for ; Fri, 11 Aug 2023 22:30:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234953AbjHKWag (ORCPT ); Fri, 11 Aug 2023 18:30:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53642 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229552AbjHKWag (ORCPT ); Fri, 11 Aug 2023 18:30:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 679A8CE for ; Fri, 11 Aug 2023 15:30:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id EAA616594A for ; Fri, 11 Aug 2023 22:30:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 394C6C433C7; Fri, 11 Aug 2023 22:30:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1691793034; bh=AQ1pJgHvIkDDCVUsvsvSlWA1hqnQGTbRJoGXzBTLvLk=; h=Date:To:From:Subject:From; b=S3yBOqvWQS5KmiS1TmA9yFkwhiZu+F9qo+Qk+6zC/i3EhBiEOMvaGLbXLlVo2lT2Y XwOPUB7CtUbtnjz3SVSi8fFIlQTDuq9QV7WI7QQsO7F/TD2yhW5CKKhtHpUfJWJefY EdT/83PLL3a5aKsHk8ho1OD4xltOoS0D7LBYUje4= Date: Fri, 11 Aug 2023 15:30:33 -0700 To: mm-commits@vger.kernel.org, ziy@nvidia.com, zhengqi.arch@bytedance.com, zackr@vmware.com, yuzhao@google.com, ying.huang@intel.com, willy@infradead.org, will@kernel.org, vishal.moola@gmail.com, vbabka@suse.cz, thomas.hellstrom@linux.intel.com, surenb@google.com, steven.price@arm.com, song@kernel.org, sj@kernel.org, shy828301@gmail.com, rppt@kernel.org, rcampbell@nvidia.com, peterz@infradead.org, peterx@redhat.com, pasha.tatashin@soleen.com, naoya.horiguchi@nec.com, mpe@ellerman.id.au, minchan@kernel.org, mike.kravetz@oracle.com, mgorman@techsingularity.net, lstoakes@gmail.com, linux@armlinux.org.uk, linmiaohe@huawei.com, kirill.shutemov@linux.intel.com, jgg@ziepe.ca, jannh@google.com, ira.weiny@intel.com, imbrenda@linux.ibm.com, hch@infradead.org, hca@linux.ibm.com, gor@linux.ibm.com, gerald.schaefer@linux.ibm.com, david@redhat.com, davem@davemloft.net, christophe.leroy@csgroup.eu, borntraeger@linux.ibm.com, axelrasmussen@google.com, apopple@nvidia.com, anshuman.khandual@arm.com, aneesh.kumar@linux.ibm.com, agordeev@linux.ibm.com, hughd@google.com, akpm@linux-foundation.org From: Andrew Morton Subject: [folded-merged] mm-khugepaged-collapse_pte_mapped_thp-with-mmap_read_lock-fix.patch removed from -mm tree Message-Id: <20230811223034.394C6C433C7@smtp.kernel.org> Precedence: bulk Reply-To: linux-kernel@vger.kernel.org List-ID: X-Mailing-List: mm-commits@vger.kernel.org The quilt patch titled Subject: mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock(): fix has been removed from the -mm tree. Its filename was mm-khugepaged-collapse_pte_mapped_thp-with-mmap_read_lock-fix.patch This patch was dropped because it was folded into mm-khugepaged-collapse_pte_mapped_thp-with-mmap_read_lock.patch ------------------------------------------------------ From: Hugh Dickins Subject: mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock(): fix Date: Sun, 23 Jul 2023 15:32:27 -0700 (PDT) madvise_collapse() setting "mmap_locked = true" after calling collapse_pte_mapped_thp() looked good but was wrong. If the loop then moves on to the next extent, mmap_locked assures it that "vma" has been revalidated under mmap_lock, which was not the case: and led to UAFs, crashes in __fput() or task_work_run(), even collapse_file()'s VM_BUG_ON(start & (HPAGE_PMD_NR - 1)) - all detected by syzbot. (collapse_pte_mapped_thp() does validate the vma that it works on: but it's not passed in as an argument, collapse_pte_mapped_thp() finds the vma for mm and addr by itself - which may by this time have changed from the vma saved in madvise_collapse().) Link: https://lkml.kernel.org/r/d3d9ff14-ef8-8f84-e160-bfa1f5794275@google.com Signed-off-by: Hugh Dickins Reported-by: syzbot+fe7b1487405295d29268@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000f9de430600ae05db@google.com/ Reported-by: syzbot+173cc8cfdfbbef6dd755@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/000000000000e4b0f0060123ca40@google.com/ Cc: Alexander Gordeev Cc: Alistair Popple Cc: Aneesh Kumar K.V Cc: Anshuman Khandual Cc: Axel Rasmussen Cc: Christian Borntraeger Cc: Christophe Leroy Cc: Christoph Hellwig Cc: Claudio Imbrenda Cc: David Hildenbrand Cc: "David S. Miller" Cc: Gerald Schaefer Cc: Heiko Carstens Cc: Huang, Ying Cc: Ira Weiny Cc: Jann Horn Cc: Jason Gunthorpe Cc: Kirill A. Shutemov Cc: Lorenzo Stoakes Cc: Matthew Wilcox (Oracle) Cc: Mel Gorman Cc: Miaohe Lin Cc: Michael Ellerman Cc: Mike Kravetz Cc: Mike Rapoport (IBM) Cc: Minchan Kim Cc: Naoya Horiguchi Cc: Pavel Tatashin Cc: Peter Xu Cc: Peter Zijlstra Cc: Qi Zheng Cc: Ralph Campbell Cc: Russell King Cc: SeongJae Park Cc: Song Liu Cc: Steven Price Cc: Suren Baghdasaryan Cc: Thomas Hellström Cc: Vasily Gorbik Cc: Vishal Moola (Oracle) Cc: Vlastimil Babka Cc: Will Deacon Cc: Yang Shi Cc: Yu Zhao Cc: Zack Rusin Cc: Zi Yan Signed-off-by: Andrew Morton --- mm/khugepaged.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/khugepaged.c~mm-khugepaged-collapse_pte_mapped_thp-with-mmap_read_lock-fix +++ a/mm/khugepaged.c @@ -2840,7 +2840,7 @@ handle_result: BUG_ON(*prev); mmap_read_lock(mm); result = collapse_pte_mapped_thp(mm, addr, true); - mmap_locked = true; + mmap_read_unlock(mm); goto handle_result; /* Whitelisted set of results where continuing OK */ case SCAN_PMD_NULL: _ Patches currently in -mm which might be from hughd@google.com are mm-userfaultfd-add-new-uffdio_poison-ioctl-fix.patch mm-pgtable-add-rcu_read_lock-and-rcu_read_unlocks.patch mm-pgtable-add-pae-safety-to-__pte_offset_map.patch arm-adjust_pte-use-pte_offset_map_nolock.patch powerpc-assert_pte_locked-use-pte_offset_map_nolock.patch powerpc-add-pte_free_defer-for-pgtables-sharing-page.patch sparc-add-pte_free_defer-for-pte_t-pgtable_t.patch s390-add-pte_free_defer-for-pgtables-sharing-page.patch mm-pgtable-add-pte_free_defer-for-pgtable-as-page.patch mm-khugepaged-retract_page_tables-without-mmap-or-vma-lock.patch mm-khugepaged-collapse_pte_mapped_thp-with-mmap_read_lock.patch mm-khugepaged-collapse_pte_mapped_thp-with-mmap_read_lock-fix2.patch mm-khugepaged-delete-khugepaged_collapse_pte_mapped_thps.patch mm-khugepaged-delete-khugepaged_collapse_pte_mapped_thps-fix.patch mm-delete-mmap_write_trylock-and-vma_try_start_write.patch mm-pgtable-notes-on-pte_offset_map.patch