From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hugh Dickins <hughd@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Rik van Riel <riel@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.6 19/96] mm: thp: refix false positive BUG in page_move_anon_rmap()
Date: Mon, 8 Aug 2016 21:10:42 +0200 [thread overview]
Message-ID: <20160808180244.707543907@linuxfoundation.org> (raw)
In-Reply-To: <20160808180243.898163389@linuxfoundation.org>
4.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hugh Dickins <hughd@google.com>
commit 5a49973d7143ebbabd76e1dcd69ee42e349bb7b9 upstream.
The VM_BUG_ON_PAGE in page_move_anon_rmap() is more trouble than it's
worth: the syzkaller fuzzer hit it again. It's still wrong for some THP
cases, because linear_page_index() was never intended to apply to
addresses before the start of a vma.
That's easily fixed with a signed long cast inside linear_page_index();
and Dmitry has tested such a patch, to verify the false positive. But
why extend linear_page_index() just for this case? when the avoidance in
page_move_anon_rmap() has already grown ugly, and there's no reason for
the check at all (nothing else there is using address or index).
Remove address arg from page_move_anon_rmap(), remove VM_BUG_ON_PAGE,
remove CONFIG_DEBUG_VM PageTransHuge adjustment.
And one more thing: should the compound_head(page) be done inside or
outside page_move_anon_rmap()? It's usually pushed down to the lowest
level nowadays (and mm/memory.c shows no other explicit use of it), so I
think it's better done in page_move_anon_rmap() than by caller.
Fixes: 0798d3c022dc ("mm: thp: avoid false positive VM_BUG_ON_PAGE in page_move_anon_rmap()")
Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1607120444540.12528@eggly.anvils
Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/rmap.h | 2 +-
mm/hugetlb.c | 2 +-
mm/memory.c | 3 +--
mm/rmap.c | 9 +++------
4 files changed, 6 insertions(+), 10 deletions(-)
--- a/include/linux/rmap.h
+++ b/include/linux/rmap.h
@@ -158,7 +158,7 @@ struct anon_vma *page_get_anon_vma(struc
/*
* rmap interfaces called when adding or removing pte of page
*/
-void page_move_anon_rmap(struct page *, struct vm_area_struct *, unsigned long);
+void page_move_anon_rmap(struct page *, struct vm_area_struct *);
void page_add_anon_rmap(struct page *, struct vm_area_struct *,
unsigned long, bool);
void do_page_add_anon_rmap(struct page *, struct vm_area_struct *,
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3328,7 +3328,7 @@ retry_avoidcopy:
/* If no-one else is actually using this page, avoid the copy
* and just make the page writable */
if (page_mapcount(old_page) == 1 && PageAnon(old_page)) {
- page_move_anon_rmap(old_page, vma, address);
+ page_move_anon_rmap(old_page, vma);
set_huge_ptep_writable(vma, address, ptep);
return 0;
}
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2397,8 +2397,7 @@ static int do_wp_page(struct mm_struct *
* Protected against the rmap code by
* the page lock.
*/
- page_move_anon_rmap(compound_head(old_page),
- vma, address);
+ page_move_anon_rmap(old_page, vma);
}
unlock_page(old_page);
return wp_page_reuse(mm, vma, address, page_table, ptl,
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1084,23 +1084,20 @@ EXPORT_SYMBOL_GPL(page_mkclean);
* page_move_anon_rmap - move a page to our anon_vma
* @page: the page to move to our anon_vma
* @vma: the vma the page belongs to
- * @address: the user virtual address mapped
*
* When a page belongs exclusively to one process after a COW event,
* that page can be moved into the anon_vma that belongs to just that
* process, so the rmap code will not search the parent or sibling
* processes.
*/
-void page_move_anon_rmap(struct page *page,
- struct vm_area_struct *vma, unsigned long address)
+void page_move_anon_rmap(struct page *page, struct vm_area_struct *vma)
{
struct anon_vma *anon_vma = vma->anon_vma;
+ page = compound_head(page);
+
VM_BUG_ON_PAGE(!PageLocked(page), page);
VM_BUG_ON_VMA(!anon_vma, vma);
- if (IS_ENABLED(CONFIG_DEBUG_VM) && PageTransHuge(page))
- address &= HPAGE_PMD_MASK;
- VM_BUG_ON_PAGE(page->index != linear_page_index(vma, address), page);
anon_vma = (void *) anon_vma + PAGE_MAPPING_ANON;
/*
next prev parent reply other threads:[~2016-08-08 19:16 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20160808191823uscas1p21b9903f952ca81e8d85ef950478b703e@uscas1p2.samsung.com>
2016-08-08 19:10 ` [PATCH 4.6 00/96] 4.6.6-stable review Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 02/96] x86/quirks: Apply nvidia_bugs quirk only on root bus Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 03/96] x86/quirks: Reintroduce scanning of secondary buses Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 05/96] dmaengine: at_xdmac: align descriptors on 64 bits Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 06/96] dmaengine: at_xdmac: fix residue corruption Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 07/96] dmaengine: at_xdmac: double FIFO flush needed to compute residue Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 08/96] mm, sl[au]b: add __GFP_ATOMIC to the GFP reclaim mask Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 09/96] memcg: mem_cgroup_migrate() may be called with irq disabled Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 10/96] memcg: css_alloc should return an ERR_PTR value on error Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 11/96] mm/swap.c: flush lru pvecs on compound page arrival Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 12/96] mm, compaction: abort free scanner if split fails Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 13/96] fs/nilfs2: fix potential underflow in call to crc32_le Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 14/96] mm, compaction: prevent VM_BUG_ON when terminating freeing scanner Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 15/96] uapi: export lirc.h header Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 16/96] mm, meminit: always return a valid node from early_pfn_to_nid Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 17/96] mm, meminit: ensure node is online before checking whether pages are uninitialised Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 18/96] vmlinux.lds: account for destructor sections Greg Kroah-Hartman
2016-08-08 19:10 ` Greg Kroah-Hartman [this message]
2016-08-08 19:10 ` [PATCH 4.6 20/96] mm: memcontrol: fix cgroup creation failure after many small jobs Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 21/96] radix-tree: fix radix_tree_iter_retry() for tagged iterators Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 22/96] pps: do not crash when failed to register Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 23/96] kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 24/96] sched/debug: Fix deadlock when enabling sched events Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 25/96] arc: unwind: warn only once if DW2_UNWIND is disabled Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 26/96] ARC: unwind: ensure that .debug_frame is generated (vs. .eh_frame) Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 27/96] xen/pciback: Fix conf_space read/write overlap check Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 28/96] xen-blkfront: save uncompleted reqs in blkfront_resume() Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 29/96] xenbus: dont BUG() on user mode induced condition Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 30/96] xenbus: dont bail early from xenbus_dev_request_and_reply() Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 31/96] xen-blkfront: fix resume issues after a migration Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 32/96] xen-blkfront: dont call talk_to_blkback when already connected to blkback Greg Kroah-Hartman
2016-08-08 19:10 ` [PATCH 4.6 36/96] Input: vmmouse - remove port reservation Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 37/96] Input: elantech - add more IC body types to the list Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 38/96] Input: xpad - fix oops when attaching an unknown Xbox One gamepad Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 39/96] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 40/96] Input: wacom_w8001 - ignore invalid pen data packets Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 41/96] Input: xpad - validate USB endpoint count during probe Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 42/96] Revert "Input: wacom_w8001 - drop use of ABS_MT_TOOL_TYPE" Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 43/96] Input: synaptics-rmi4 - fix maximum size check for F12 control register 8 Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 45/96] pvclock: Add CPU barriers to get correct version value Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 46/96] pinctrl: single: Fix missing flush of posted write for a wakeirq Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 47/96] pinctrl: imx: Do not treat a PIN without MUX register as an error Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 48/96] cgroup: remove redundant cleanup in css_create Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 49/96] cgroup: set css->id to -1 during init Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 50/96] cgroup: Disable IRQs while holding css_set_lock Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 51/96] power_supply: power_supply_read_temp only if use_cnt > 0 Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 52/96] locks: use file_inode() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 53/96] Revert "ecryptfs: forbid opening files without mmap handler" Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 54/96] ecryptfs: dont allow mmap when the lower fs doesnt support it Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 55/96] ext4: verify extent header depth Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 56/96] 9p: use file_dentry() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 57/96] cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 58/96] devpts: fix null pointer dereference on failed memory allocation Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 59/96] namespace: update event counter when umounting a deleted dentry Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 60/96] spi: rockchip: Signal unfinished DMA transfers Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 61/96] spi: sunxi: fix transfer timeout Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 62/96] spi: sun4i: fix FIFO limit Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 63/96] clk: rockchip: initialize flags of clk_init_data in mmc-phase clock Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 64/96] clk: at91: fix clk_programmable_set_parent() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 65/96] lockd: unregister notifier blocks if the service fails to come up completely Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 66/96] platform/chrome: cros_ec_dev - double fetch bug in ioctl Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 67/96] qeth: delete napi struct when removing a qeth device Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 68/96] init/Kconfig: keep Expert users menu together Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 69/96] block: fix use-after-free in sys_ioprio_get() Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 70/96] mmc: block: fix free of uninitialized idata->buf Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 71/96] mmc: block: fix packed command header endianness Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 72/96] sched/fair: Fix effective_load() to consistently use smoothed load Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 73/96] can: at91_can: RX queue could get stuck at high bus load Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 74/96] can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 75/96] can: fix handling of unmodifiable configuration options fix Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 76/96] can: fix oops caused by wrong rtnl dellink usage Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 77/96] RDS: fix rds_tcp_init() error path Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 78/96] irqchip/mips-gic: Map to VPs using HW VPNum Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 79/96] irqchip/mips-gic: Match IPI IRQ domain by bus token only Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 81/96] SCSI: fix new bug in scsi_dev_info_list string matching Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 82/96] ipr: Clear interrupt on croc/crocodile when running with LSI Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 83/96] media: fix airspy usb probe error path Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 84/96] posix_cpu_timer: Exit early when process has been reaped Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 85/96] cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 86/96] [media] adv7604: Dont ignore pad number in subdev DV timings pad operations Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 87/96] i2c: qup: Fix wrong value of index variable Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 88/96] i2c: mux: reg: wrong condition checked for of_address_to_resource return value Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 89/96] libata: LITE-ON CX1-JB256-HP needs lower max_sectors Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 90/96] libceph: apply new_state before new_up_client on incrementals Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 91/96] net: mvneta: set real interrupt per packet for tx_done Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 92/96] cfg80211: handle failed skb allocation Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 93/96] intel_th: pci: Add Kaby Lake PCH-H support Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 94/96] intel_th: Fix a deadlock in modprobing Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 95/96] vfs: ioctl: prevent double-fetch in dedupe ioctl Greg Kroah-Hartman
2016-08-08 19:11 ` [PATCH 4.6 96/96] vfs: fix deadlock in file_remove_privs() on overlayfs Greg Kroah-Hartman
2016-08-09 5:03 ` [PATCH 4.6 00/96] 4.6.6-stable review Guenter Roeck
2016-08-09 8:24 ` Greg Kroah-Hartman
2016-08-09 8:33 ` Paul Burton
2016-08-09 8:37 ` Greg Kroah-Hartman
2016-08-09 16:19 ` Guenter Roeck
2016-08-09 17:22 ` Greg Kroah-Hartman
2016-08-10 1:25 ` Guenter Roeck
2016-08-09 15:10 ` Shuah Khan
2016-08-09 17:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160808180244.707543907@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=hughd@google.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=riel@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).