From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Biener <rguenther@suse.de>,
"H.J. Lu" <hjl.tools@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Yang Shi <yang.shi@linux.alibaba.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Borislav Petkov <bp@alien8.de>, Guan Xuetao <gxt@pku.edu.cn>,
"H. Peter Anvin" <hpa@zytor.com>, Jeff Dike <jdike@addtoit.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Paul Mackerras <paulus@samba.org>,
Peter Zijlstra <peterz@infradead.org>,
Richard Weinberger <richard@nod.at>,
Rik van Riel <riel@surriel.com>, Vlastimil Babka <vbabka@suse.cz>,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
linux-um@lists.infradead.org, linuxppc-dev@lists.ozlabs.org,
Ingo Molnar <mingo@kernel.org>
Subject: [PATCH 5.0 075/139] x86/mpx, mm/core: Fix recursive munmap() corruption
Date: Thu, 23 May 2019 21:06:03 +0200 [thread overview]
Message-ID: <20190523181730.571246299@linuxfoundation.org> (raw)
In-Reply-To: <20190523181720.120897565@linuxfoundation.org>
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 5a28fc94c9143db766d1ba5480cae82d856ad080 upstream.
This is a bit of a mess, to put it mildly. But, it's a bug
that only seems to have showed up in 4.20 but wasn't noticed
until now, because nobody uses MPX.
MPX has the arch_unmap() hook inside of munmap() because MPX
uses bounds tables that protect other areas of memory. When
memory is unmapped, there is also a need to unmap the MPX
bounds tables. Barring this, unused bounds tables can eat 80%
of the address space.
But, the recursive do_munmap() that gets called vi arch_unmap()
wreaks havoc with __do_munmap()'s state. It can result in
freeing populated page tables, accessing bogus VMA state,
double-freed VMAs and more.
See the "long story" further below for the gory details.
To fix this, call arch_unmap() before __do_unmap() has a chance
to do anything meaningful. Also, remove the 'vma' argument
and force the MPX code to do its own, independent VMA lookup.
== UML / unicore32 impact ==
Remove unused 'vma' argument to arch_unmap(). No functional
change.
I compile tested this on UML but not unicore32.
== powerpc impact ==
powerpc uses arch_unmap() well to watch for munmap() on the
VDSO and zeroes out 'current->mm->context.vdso_base'. Moving
arch_unmap() makes this happen earlier in __do_munmap(). But,
'vdso_base' seems to only be used in perf and in the signal
delivery that happens near the return to userspace. I can not
find any likely impact to powerpc, other than the zeroing
happening a little earlier.
powerpc does not use the 'vma' argument and is unaffected by
its removal.
I compile-tested a 64-bit powerpc defconfig.
== x86 impact ==
For the common success case this is functionally identical to
what was there before. For the munmap() failure case, it's
possible that some MPX tables will be zapped for memory that
continues to be in use. But, this is an extraordinarily
unlikely scenario and the harm would be that MPX provides no
protection since the bounds table got reset (zeroed).
I can't imagine anyone doing this:
ptr = mmap();
// use ptr
ret = munmap(ptr);
if (ret)
// oh, there was an error, I'll
// keep using ptr.
Because if you're doing munmap(), you are *done* with the
memory. There's probably no good data in there _anyway_.
This passes the original reproducer from Richard Biener as
well as the existing mpx selftests/.
The long story:
munmap() has a couple of pieces:
1. Find the affected VMA(s)
2. Split the start/end one(s) if neceesary
3. Pull the VMAs out of the rbtree
4. Actually zap the memory via unmap_region(), including
freeing page tables (or queueing them to be freed).
5. Fix up some of the accounting (like fput()) and actually
free the VMA itself.
This specific ordering was actually introduced by:
dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
during the 4.20 merge window. The previous __do_munmap() code
was actually safe because the only thing after arch_unmap() was
remove_vma_list(). arch_unmap() could not see 'vma' in the
rbtree because it was detached, so it is not even capable of
doing operations unsafe for remove_vma_list()'s use of 'vma'.
Richard Biener reported a test that shows this in dmesg:
[1216548.787498] BUG: Bad rss-counter state mm:0000000017ce560b idx:1 val:551
[1216548.787500] BUG: non-zero pgtables_bytes on freeing mm: 24576
What triggered this was the recursive do_munmap() called via
arch_unmap(). It was freeing page tables that has not been
properly zapped.
But, the problem was bigger than this. For one, arch_unmap()
can free VMAs. But, the calling __do_munmap() has variables
that *point* to VMAs and obviously can't handle them just
getting freed while the pointer is still in use.
I tried a couple of things here. First, I tried to fix the page
table freeing problem in isolation, but I then found the VMA
issue. I also tried having the MPX code return a flag if it
modified the rbtree which would force __do_munmap() to re-walk
to restart. That spiralled out of control in complexity pretty
fast.
Just moving arch_unmap() and accepting that the bonkers failure
case might eat some bounds tables seems like the simplest viable
fix.
This was also reported in the following kernel bugzilla entry:
https://bugzilla.kernel.org/show_bug.cgi?id=203123
There are some reports that this commit triggered this bug:
dd2283f2605 ("mm: mmap: zap pages with read mmap_sem in munmap")
While that commit certainly made the issues easier to hit, I believe
the fundamental issue has been with us as long as MPX itself, thus
the Fixes: tag below is for one of the original MPX commits.
[ mingo: Minor edits to the changelog and the patch. ]
Reported-by: Richard Biener <rguenther@suse.de>
Reported-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Guan Xuetao <gxt@pku.edu.cn>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Rik van Riel <riel@surriel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: linux-arch@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: linux-um@lists.infradead.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: stable@vger.kernel.org
Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
Link: http://lkml.kernel.org/r/20190419194747.5E1AD6DC@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/mmu_context.h | 1 -
arch/um/include/asm/mmu_context.h | 1 -
arch/unicore32/include/asm/mmu_context.h | 1 -
arch/x86/include/asm/mmu_context.h | 6 +++---
arch/x86/include/asm/mpx.h | 15 ++++++++-------
arch/x86/mm/mpx.c | 10 ++++++----
include/asm-generic/mm_hooks.h | 1 -
mm/mmap.c | 15 ++++++++-------
8 files changed, 25 insertions(+), 25 deletions(-)
--- a/arch/powerpc/include/asm/mmu_context.h
+++ b/arch/powerpc/include/asm/mmu_context.h
@@ -237,7 +237,6 @@ extern void arch_exit_mmap(struct mm_str
#endif
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
if (start <= mm->context.vdso_base && mm->context.vdso_base < end)
--- a/arch/um/include/asm/mmu_context.h
+++ b/arch/um/include/asm/mmu_context.h
@@ -22,7 +22,6 @@ static inline int arch_dup_mmap(struct m
}
extern void arch_exit_mmap(struct mm_struct *mm);
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/unicore32/include/asm/mmu_context.h
+++ b/arch/unicore32/include/asm/mmu_context.h
@@ -88,7 +88,6 @@ static inline int arch_dup_mmap(struct m
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -277,8 +277,8 @@ static inline void arch_bprm_mm_init(str
mpx_mm_init(mm);
}
-static inline void arch_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+static inline void arch_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
/*
* mpx_notify_unmap() goes and reads a rarely-hot
@@ -298,7 +298,7 @@ static inline void arch_unmap(struct mm_
* consistently wrong.
*/
if (unlikely(cpu_feature_enabled(X86_FEATURE_MPX)))
- mpx_notify_unmap(mm, vma, start, end);
+ mpx_notify_unmap(mm, start, end);
}
/*
--- a/arch/x86/include/asm/mpx.h
+++ b/arch/x86/include/asm/mpx.h
@@ -64,12 +64,15 @@ struct mpx_fault_info {
};
#ifdef CONFIG_X86_INTEL_MPX
-int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
-int mpx_handle_bd_fault(void);
+
+extern int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
+extern int mpx_handle_bd_fault(void);
+
static inline int kernel_managing_mpx_tables(struct mm_struct *mm)
{
return (mm->context.bd_addr != MPX_INVALID_BOUNDS_DIR);
}
+
static inline void mpx_mm_init(struct mm_struct *mm)
{
/*
@@ -78,11 +81,10 @@ static inline void mpx_mm_init(struct mm
*/
mm->context.bd_addr = MPX_INVALID_BOUNDS_DIR;
}
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end);
-unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len,
- unsigned long flags);
+extern void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, unsigned long end);
+extern unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len, unsigned long flags);
+
#else
static inline int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs)
{
@@ -100,7 +102,6 @@ static inline void mpx_mm_init(struct mm
{
}
static inline void mpx_notify_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -881,9 +881,10 @@ static int mpx_unmap_tables(struct mm_st
* the virtual address region start...end have already been split if
* necessary, and the 'vma' is the first vma in this range (start -> end).
*/
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+void mpx_notify_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
+ struct vm_area_struct *vma;
int ret;
/*
@@ -902,11 +903,12 @@ void mpx_notify_unmap(struct mm_struct *
* which should not occur normally. Being strict about it here
* helps ensure that we do not have an exploitable stack overflow.
*/
- do {
+ vma = find_vma(mm, start);
+ while (vma && vma->vm_start < end) {
if (vma->vm_flags & VM_MPX)
return;
vma = vma->vm_next;
- } while (vma && vma->vm_start < end);
+ }
ret = mpx_unmap_tables(mm, start, end);
if (ret)
--- a/include/asm-generic/mm_hooks.h
+++ b/include/asm-generic/mm_hooks.h
@@ -18,7 +18,6 @@ static inline void arch_exit_mmap(struct
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2736,9 +2736,17 @@ int __do_munmap(struct mm_struct *mm, un
return -EINVAL;
len = PAGE_ALIGN(len);
+ end = start + len;
if (len == 0)
return -EINVAL;
+ /*
+ * arch_unmap() might do unmaps itself. It must be called
+ * and finish any rbtree manipulation before this code
+ * runs and also starts to manipulate the rbtree.
+ */
+ arch_unmap(mm, start, end);
+
/* Find the first overlapping VMA */
vma = find_vma(mm, start);
if (!vma)
@@ -2747,7 +2755,6 @@ int __do_munmap(struct mm_struct *mm, un
/* we have start < vma->vm_end */
/* if it doesn't overlap, we have nothing.. */
- end = start + len;
if (vma->vm_start >= end)
return 0;
@@ -2817,12 +2824,6 @@ int __do_munmap(struct mm_struct *mm, un
/* Detach vmas from rbtree */
detach_vmas_to_be_unmapped(mm, vma, prev, end);
- /*
- * mpx unmap needs to be called with mmap_sem held for write.
- * It is safe to call it before unmap_region().
- */
- arch_unmap(mm, vma, start, end);
-
if (downgrade)
downgrade_write(&mm->mmap_sem);
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Richard Biener <rguenther@suse.de>,
"H.J. Lu" <hjl.tools@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Yang Shi <yang.shi@linux.alibaba.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Borislav Petkov <bp@alien8.de>, Guan Xuetao <gxt@pku.edu.cn>,
"H. Peter Anvin" <hpa@zytor.com>, Jeff Dike <jdike@addtoit.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Michal Hocko <mhocko@suse.com>, Paul Mackerras <paulus@samba.org>,
Peter Zijlstra <peterz@infradead.org>,
Richard Weinberger <richard@nod.at>Ri
Subject: [PATCH 5.0 075/139] x86/mpx, mm/core: Fix recursive munmap() corruption
Date: Thu, 23 May 2019 21:06:03 +0200 [thread overview]
Message-ID: <20190523181730.571246299@linuxfoundation.org> (raw)
In-Reply-To: <20190523181720.120897565@linuxfoundation.org>
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 5a28fc94c9143db766d1ba5480cae82d856ad080 upstream.
This is a bit of a mess, to put it mildly. But, it's a bug
that only seems to have showed up in 4.20 but wasn't noticed
until now, because nobody uses MPX.
MPX has the arch_unmap() hook inside of munmap() because MPX
uses bounds tables that protect other areas of memory. When
memory is unmapped, there is also a need to unmap the MPX
bounds tables. Barring this, unused bounds tables can eat 80%
of the address space.
But, the recursive do_munmap() that gets called vi arch_unmap()
wreaks havoc with __do_munmap()'s state. It can result in
freeing populated page tables, accessing bogus VMA state,
double-freed VMAs and more.
See the "long story" further below for the gory details.
To fix this, call arch_unmap() before __do_unmap() has a chance
to do anything meaningful. Also, remove the 'vma' argument
and force the MPX code to do its own, independent VMA lookup.
== UML / unicore32 impact ==
Remove unused 'vma' argument to arch_unmap(). No functional
change.
I compile tested this on UML but not unicore32.
== powerpc impact ==
powerpc uses arch_unmap() well to watch for munmap() on the
VDSO and zeroes out 'current->mm->context.vdso_base'. Moving
arch_unmap() makes this happen earlier in __do_munmap(). But,
'vdso_base' seems to only be used in perf and in the signal
delivery that happens near the return to userspace. I can not
find any likely impact to powerpc, other than the zeroing
happening a little earlier.
powerpc does not use the 'vma' argument and is unaffected by
its removal.
I compile-tested a 64-bit powerpc defconfig.
== x86 impact ==
For the common success case this is functionally identical to
what was there before. For the munmap() failure case, it's
possible that some MPX tables will be zapped for memory that
continues to be in use. But, this is an extraordinarily
unlikely scenario and the harm would be that MPX provides no
protection since the bounds table got reset (zeroed).
I can't imagine anyone doing this:
ptr = mmap();
// use ptr
ret = munmap(ptr);
if (ret)
// oh, there was an error, I'll
// keep using ptr.
Because if you're doing munmap(), you are *done* with the
memory. There's probably no good data in there _anyway_.
This passes the original reproducer from Richard Biener as
well as the existing mpx selftests/.
The long story:
munmap() has a couple of pieces:
1. Find the affected VMA(s)
2. Split the start/end one(s) if neceesary
3. Pull the VMAs out of the rbtree
4. Actually zap the memory via unmap_region(), including
freeing page tables (or queueing them to be freed).
5. Fix up some of the accounting (like fput()) and actually
free the VMA itself.
This specific ordering was actually introduced by:
dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
during the 4.20 merge window. The previous __do_munmap() code
was actually safe because the only thing after arch_unmap() was
remove_vma_list(). arch_unmap() could not see 'vma' in the
rbtree because it was detached, so it is not even capable of
doing operations unsafe for remove_vma_list()'s use of 'vma'.
Richard Biener reported a test that shows this in dmesg:
[1216548.787498] BUG: Bad rss-counter state mm:0000000017ce560b idx:1 val:551
[1216548.787500] BUG: non-zero pgtables_bytes on freeing mm: 24576
What triggered this was the recursive do_munmap() called via
arch_unmap(). It was freeing page tables that has not been
properly zapped.
But, the problem was bigger than this. For one, arch_unmap()
can free VMAs. But, the calling __do_munmap() has variables
that *point* to VMAs and obviously can't handle them just
getting freed while the pointer is still in use.
I tried a couple of things here. First, I tried to fix the page
table freeing problem in isolation, but I then found the VMA
issue. I also tried having the MPX code return a flag if it
modified the rbtree which would force __do_munmap() to re-walk
to restart. That spiralled out of control in complexity pretty
fast.
Just moving arch_unmap() and accepting that the bonkers failure
case might eat some bounds tables seems like the simplest viable
fix.
This was also reported in the following kernel bugzilla entry:
https://bugzilla.kernel.org/show_bug.cgi?id=203123
There are some reports that this commit triggered this bug:
dd2283f2605 ("mm: mmap: zap pages with read mmap_sem in munmap")
While that commit certainly made the issues easier to hit, I believe
the fundamental issue has been with us as long as MPX itself, thus
the Fixes: tag below is for one of the original MPX commits.
[ mingo: Minor edits to the changelog and the patch. ]
Reported-by: Richard Biener <rguenther@suse.de>
Reported-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Guan Xuetao <gxt@pku.edu.cn>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Rik van Riel <riel@surriel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: linux-arch@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: linux-um@lists.infradead.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: stable@vger.kernel.org
Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
Link: http://lkml.kernel.org/r/20190419194747.5E1AD6DC@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/mmu_context.h | 1 -
arch/um/include/asm/mmu_context.h | 1 -
arch/unicore32/include/asm/mmu_context.h | 1 -
arch/x86/include/asm/mmu_context.h | 6 +++---
arch/x86/include/asm/mpx.h | 15 ++++++++-------
arch/x86/mm/mpx.c | 10 ++++++----
include/asm-generic/mm_hooks.h | 1 -
mm/mmap.c | 15 ++++++++-------
8 files changed, 25 insertions(+), 25 deletions(-)
--- a/arch/powerpc/include/asm/mmu_context.h
+++ b/arch/powerpc/include/asm/mmu_context.h
@@ -237,7 +237,6 @@ extern void arch_exit_mmap(struct mm_str
#endif
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
if (start <= mm->context.vdso_base && mm->context.vdso_base < end)
--- a/arch/um/include/asm/mmu_context.h
+++ b/arch/um/include/asm/mmu_context.h
@@ -22,7 +22,6 @@ static inline int arch_dup_mmap(struct m
}
extern void arch_exit_mmap(struct mm_struct *mm);
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/unicore32/include/asm/mmu_context.h
+++ b/arch/unicore32/include/asm/mmu_context.h
@@ -88,7 +88,6 @@ static inline int arch_dup_mmap(struct m
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -277,8 +277,8 @@ static inline void arch_bprm_mm_init(str
mpx_mm_init(mm);
}
-static inline void arch_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+static inline void arch_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
/*
* mpx_notify_unmap() goes and reads a rarely-hot
@@ -298,7 +298,7 @@ static inline void arch_unmap(struct mm_
* consistently wrong.
*/
if (unlikely(cpu_feature_enabled(X86_FEATURE_MPX)))
- mpx_notify_unmap(mm, vma, start, end);
+ mpx_notify_unmap(mm, start, end);
}
/*
--- a/arch/x86/include/asm/mpx.h
+++ b/arch/x86/include/asm/mpx.h
@@ -64,12 +64,15 @@ struct mpx_fault_info {
};
#ifdef CONFIG_X86_INTEL_MPX
-int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
-int mpx_handle_bd_fault(void);
+
+extern int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
+extern int mpx_handle_bd_fault(void);
+
static inline int kernel_managing_mpx_tables(struct mm_struct *mm)
{
return (mm->context.bd_addr != MPX_INVALID_BOUNDS_DIR);
}
+
static inline void mpx_mm_init(struct mm_struct *mm)
{
/*
@@ -78,11 +81,10 @@ static inline void mpx_mm_init(struct mm
*/
mm->context.bd_addr = MPX_INVALID_BOUNDS_DIR;
}
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end);
-unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len,
- unsigned long flags);
+extern void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, unsigned long end);
+extern unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len, unsigned long flags);
+
#else
static inline int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs)
{
@@ -100,7 +102,6 @@ static inline void mpx_mm_init(struct mm
{
}
static inline void mpx_notify_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -881,9 +881,10 @@ static int mpx_unmap_tables(struct mm_st
* the virtual address region start...end have already been split if
* necessary, and the 'vma' is the first vma in this range (start -> end).
*/
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+void mpx_notify_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
+ struct vm_area_struct *vma;
int ret;
/*
@@ -902,11 +903,12 @@ void mpx_notify_unmap(struct mm_struct *
* which should not occur normally. Being strict about it here
* helps ensure that we do not have an exploitable stack overflow.
*/
- do {
+ vma = find_vma(mm, start);
+ while (vma && vma->vm_start < end) {
if (vma->vm_flags & VM_MPX)
return;
vma = vma->vm_next;
- } while (vma && vma->vm_start < end);
+ }
ret = mpx_unmap_tables(mm, start, end);
if (ret)
--- a/include/asm-generic/mm_hooks.h
+++ b/include/asm-generic/mm_hooks.h
@@ -18,7 +18,6 @@ static inline void arch_exit_mmap(struct
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2736,9 +2736,17 @@ int __do_munmap(struct mm_struct *mm, un
return -EINVAL;
len = PAGE_ALIGN(len);
+ end = start + len;
if (len == 0)
return -EINVAL;
+ /*
+ * arch_unmap() might do unmaps itself. It must be called
+ * and finish any rbtree manipulation before this code
+ * runs and also starts to manipulate the rbtree.
+ */
+ arch_unmap(mm, start, end);
+
/* Find the first overlapping VMA */
vma = find_vma(mm, start);
if (!vma)
@@ -2747,7 +2755,6 @@ int __do_munmap(struct mm_struct *mm, un
/* we have start < vma->vm_end */
/* if it doesn't overlap, we have nothing.. */
- end = start + len;
if (vma->vm_start >= end)
return 0;
@@ -2817,12 +2824,6 @@ int __do_munmap(struct mm_struct *mm, un
/* Detach vmas from rbtree */
detach_vmas_to_be_unmapped(mm, vma, prev, end);
- /*
- * mpx unmap needs to be called with mmap_sem held for write.
- * It is safe to call it before unmap_region().
- */
- arch_unmap(mm, vma, start, end);
-
if (downgrade)
downgrade_write(&mm->mmap_sem);
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Michal Hocko <mhocko@suse.com>,
Peter Zijlstra <peterz@infradead.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
linux-mm@kvack.org, Paul Mackerras <paulus@samba.org>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@kernel.org>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
linux-arch@vger.kernel.org, Richard Weinberger <richard@nod.at>,
"H.J. Lu" <hjl.tools@gmail.com>, Rik van Riel <riel@surriel.com>,
Jeff Dike <jdike@addtoit.com>,
linux-um@lists.infradead.org, linuxppc-dev@lists.ozlabs.org,
Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Yang Shi <yang.shi@linux.alibaba.com>,
Guan Xuetao <gxt@pku.edu.cn>, Vlastimil Babka <vbabka@suse.cz>,
Richard Biener <rguenther@suse.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.0 075/139] x86/mpx, mm/core: Fix recursive munmap() corruption
Date: Thu, 23 May 2019 21:06:03 +0200 [thread overview]
Message-ID: <20190523181730.571246299@linuxfoundation.org> (raw)
In-Reply-To: <20190523181720.120897565@linuxfoundation.org>
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 5a28fc94c9143db766d1ba5480cae82d856ad080 upstream.
This is a bit of a mess, to put it mildly. But, it's a bug
that only seems to have showed up in 4.20 but wasn't noticed
until now, because nobody uses MPX.
MPX has the arch_unmap() hook inside of munmap() because MPX
uses bounds tables that protect other areas of memory. When
memory is unmapped, there is also a need to unmap the MPX
bounds tables. Barring this, unused bounds tables can eat 80%
of the address space.
But, the recursive do_munmap() that gets called vi arch_unmap()
wreaks havoc with __do_munmap()'s state. It can result in
freeing populated page tables, accessing bogus VMA state,
double-freed VMAs and more.
See the "long story" further below for the gory details.
To fix this, call arch_unmap() before __do_unmap() has a chance
to do anything meaningful. Also, remove the 'vma' argument
and force the MPX code to do its own, independent VMA lookup.
== UML / unicore32 impact ==
Remove unused 'vma' argument to arch_unmap(). No functional
change.
I compile tested this on UML but not unicore32.
== powerpc impact ==
powerpc uses arch_unmap() well to watch for munmap() on the
VDSO and zeroes out 'current->mm->context.vdso_base'. Moving
arch_unmap() makes this happen earlier in __do_munmap(). But,
'vdso_base' seems to only be used in perf and in the signal
delivery that happens near the return to userspace. I can not
find any likely impact to powerpc, other than the zeroing
happening a little earlier.
powerpc does not use the 'vma' argument and is unaffected by
its removal.
I compile-tested a 64-bit powerpc defconfig.
== x86 impact ==
For the common success case this is functionally identical to
what was there before. For the munmap() failure case, it's
possible that some MPX tables will be zapped for memory that
continues to be in use. But, this is an extraordinarily
unlikely scenario and the harm would be that MPX provides no
protection since the bounds table got reset (zeroed).
I can't imagine anyone doing this:
ptr = mmap();
// use ptr
ret = munmap(ptr);
if (ret)
// oh, there was an error, I'll
// keep using ptr.
Because if you're doing munmap(), you are *done* with the
memory. There's probably no good data in there _anyway_.
This passes the original reproducer from Richard Biener as
well as the existing mpx selftests/.
The long story:
munmap() has a couple of pieces:
1. Find the affected VMA(s)
2. Split the start/end one(s) if neceesary
3. Pull the VMAs out of the rbtree
4. Actually zap the memory via unmap_region(), including
freeing page tables (or queueing them to be freed).
5. Fix up some of the accounting (like fput()) and actually
free the VMA itself.
This specific ordering was actually introduced by:
dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
during the 4.20 merge window. The previous __do_munmap() code
was actually safe because the only thing after arch_unmap() was
remove_vma_list(). arch_unmap() could not see 'vma' in the
rbtree because it was detached, so it is not even capable of
doing operations unsafe for remove_vma_list()'s use of 'vma'.
Richard Biener reported a test that shows this in dmesg:
[1216548.787498] BUG: Bad rss-counter state mm:0000000017ce560b idx:1 val:551
[1216548.787500] BUG: non-zero pgtables_bytes on freeing mm: 24576
What triggered this was the recursive do_munmap() called via
arch_unmap(). It was freeing page tables that has not been
properly zapped.
But, the problem was bigger than this. For one, arch_unmap()
can free VMAs. But, the calling __do_munmap() has variables
that *point* to VMAs and obviously can't handle them just
getting freed while the pointer is still in use.
I tried a couple of things here. First, I tried to fix the page
table freeing problem in isolation, but I then found the VMA
issue. I also tried having the MPX code return a flag if it
modified the rbtree which would force __do_munmap() to re-walk
to restart. That spiralled out of control in complexity pretty
fast.
Just moving arch_unmap() and accepting that the bonkers failure
case might eat some bounds tables seems like the simplest viable
fix.
This was also reported in the following kernel bugzilla entry:
https://bugzilla.kernel.org/show_bug.cgi?id=203123
There are some reports that this commit triggered this bug:
dd2283f2605 ("mm: mmap: zap pages with read mmap_sem in munmap")
While that commit certainly made the issues easier to hit, I believe
the fundamental issue has been with us as long as MPX itself, thus
the Fixes: tag below is for one of the original MPX commits.
[ mingo: Minor edits to the changelog and the patch. ]
Reported-by: Richard Biener <rguenther@suse.de>
Reported-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Guan Xuetao <gxt@pku.edu.cn>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Rik van Riel <riel@surriel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: linux-arch@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: linux-um@lists.infradead.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: stable@vger.kernel.org
Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
Link: http://lkml.kernel.org/r/20190419194747.5E1AD6DC@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/mmu_context.h | 1 -
arch/um/include/asm/mmu_context.h | 1 -
arch/unicore32/include/asm/mmu_context.h | 1 -
arch/x86/include/asm/mmu_context.h | 6 +++---
arch/x86/include/asm/mpx.h | 15 ++++++++-------
arch/x86/mm/mpx.c | 10 ++++++----
include/asm-generic/mm_hooks.h | 1 -
mm/mmap.c | 15 ++++++++-------
8 files changed, 25 insertions(+), 25 deletions(-)
--- a/arch/powerpc/include/asm/mmu_context.h
+++ b/arch/powerpc/include/asm/mmu_context.h
@@ -237,7 +237,6 @@ extern void arch_exit_mmap(struct mm_str
#endif
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
if (start <= mm->context.vdso_base && mm->context.vdso_base < end)
--- a/arch/um/include/asm/mmu_context.h
+++ b/arch/um/include/asm/mmu_context.h
@@ -22,7 +22,6 @@ static inline int arch_dup_mmap(struct m
}
extern void arch_exit_mmap(struct mm_struct *mm);
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/unicore32/include/asm/mmu_context.h
+++ b/arch/unicore32/include/asm/mmu_context.h
@@ -88,7 +88,6 @@ static inline int arch_dup_mmap(struct m
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -277,8 +277,8 @@ static inline void arch_bprm_mm_init(str
mpx_mm_init(mm);
}
-static inline void arch_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+static inline void arch_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
/*
* mpx_notify_unmap() goes and reads a rarely-hot
@@ -298,7 +298,7 @@ static inline void arch_unmap(struct mm_
* consistently wrong.
*/
if (unlikely(cpu_feature_enabled(X86_FEATURE_MPX)))
- mpx_notify_unmap(mm, vma, start, end);
+ mpx_notify_unmap(mm, start, end);
}
/*
--- a/arch/x86/include/asm/mpx.h
+++ b/arch/x86/include/asm/mpx.h
@@ -64,12 +64,15 @@ struct mpx_fault_info {
};
#ifdef CONFIG_X86_INTEL_MPX
-int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
-int mpx_handle_bd_fault(void);
+
+extern int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
+extern int mpx_handle_bd_fault(void);
+
static inline int kernel_managing_mpx_tables(struct mm_struct *mm)
{
return (mm->context.bd_addr != MPX_INVALID_BOUNDS_DIR);
}
+
static inline void mpx_mm_init(struct mm_struct *mm)
{
/*
@@ -78,11 +81,10 @@ static inline void mpx_mm_init(struct mm
*/
mm->context.bd_addr = MPX_INVALID_BOUNDS_DIR;
}
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end);
-unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len,
- unsigned long flags);
+extern void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, unsigned long end);
+extern unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len, unsigned long flags);
+
#else
static inline int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs)
{
@@ -100,7 +102,6 @@ static inline void mpx_mm_init(struct mm
{
}
static inline void mpx_notify_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -881,9 +881,10 @@ static int mpx_unmap_tables(struct mm_st
* the virtual address region start...end have already been split if
* necessary, and the 'vma' is the first vma in this range (start -> end).
*/
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+void mpx_notify_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
+ struct vm_area_struct *vma;
int ret;
/*
@@ -902,11 +903,12 @@ void mpx_notify_unmap(struct mm_struct *
* which should not occur normally. Being strict about it here
* helps ensure that we do not have an exploitable stack overflow.
*/
- do {
+ vma = find_vma(mm, start);
+ while (vma && vma->vm_start < end) {
if (vma->vm_flags & VM_MPX)
return;
vma = vma->vm_next;
- } while (vma && vma->vm_start < end);
+ }
ret = mpx_unmap_tables(mm, start, end);
if (ret)
--- a/include/asm-generic/mm_hooks.h
+++ b/include/asm-generic/mm_hooks.h
@@ -18,7 +18,6 @@ static inline void arch_exit_mmap(struct
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2736,9 +2736,17 @@ int __do_munmap(struct mm_struct *mm, un
return -EINVAL;
len = PAGE_ALIGN(len);
+ end = start + len;
if (len == 0)
return -EINVAL;
+ /*
+ * arch_unmap() might do unmaps itself. It must be called
+ * and finish any rbtree manipulation before this code
+ * runs and also starts to manipulate the rbtree.
+ */
+ arch_unmap(mm, start, end);
+
/* Find the first overlapping VMA */
vma = find_vma(mm, start);
if (!vma)
@@ -2747,7 +2755,6 @@ int __do_munmap(struct mm_struct *mm, un
/* we have start < vma->vm_end */
/* if it doesn't overlap, we have nothing.. */
- end = start + len;
if (vma->vm_start >= end)
return 0;
@@ -2817,12 +2824,6 @@ int __do_munmap(struct mm_struct *mm, un
/* Detach vmas from rbtree */
detach_vmas_to_be_unmapped(mm, vma, prev, end);
- /*
- * mpx unmap needs to be called with mmap_sem held for write.
- * It is safe to call it before unmap_region().
- */
- arch_unmap(mm, vma, start, end);
-
if (downgrade)
downgrade_write(&mm->mmap_sem);
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Michal Hocko <mhocko@suse.com>,
Peter Zijlstra <peterz@infradead.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
linux-mm@kvack.org, Paul Mackerras <paulus@samba.org>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@kernel.org>,
Anton Ivanov <anton.ivanov@cambridgegreys.com>,
linux-arch@vger.kernel.org, Richard Weinberger <richard@nod.at>,
"H.J. Lu" <hjl.tools@gmail.com>, Rik van Riel <riel@surriel.com>,
Jeff Dike <jdike@addtoit.com>,
linux-um@lists.infradead.org, linuxppc-dev@lists.ozlabs.org,
Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>,
Yang Shi <yang.shi@linux.alibaba.com>,
Guan Xuetao <gxt@pku.edu.cn>, Vlastimil Babka <vbabka@suse.cz>,
Richard Biener <rguenther@suse.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Michael Ellerman <mpe@ellerman.id.au>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.0 075/139] x86/mpx, mm/core: Fix recursive munmap() corruption
Date: Thu, 23 May 2019 21:06:03 +0200 [thread overview]
Message-ID: <20190523181730.571246299@linuxfoundation.org> (raw)
In-Reply-To: <20190523181720.120897565@linuxfoundation.org>
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 5a28fc94c9143db766d1ba5480cae82d856ad080 upstream.
This is a bit of a mess, to put it mildly. But, it's a bug
that only seems to have showed up in 4.20 but wasn't noticed
until now, because nobody uses MPX.
MPX has the arch_unmap() hook inside of munmap() because MPX
uses bounds tables that protect other areas of memory. When
memory is unmapped, there is also a need to unmap the MPX
bounds tables. Barring this, unused bounds tables can eat 80%
of the address space.
But, the recursive do_munmap() that gets called vi arch_unmap()
wreaks havoc with __do_munmap()'s state. It can result in
freeing populated page tables, accessing bogus VMA state,
double-freed VMAs and more.
See the "long story" further below for the gory details.
To fix this, call arch_unmap() before __do_unmap() has a chance
to do anything meaningful. Also, remove the 'vma' argument
and force the MPX code to do its own, independent VMA lookup.
== UML / unicore32 impact ==
Remove unused 'vma' argument to arch_unmap(). No functional
change.
I compile tested this on UML but not unicore32.
== powerpc impact ==
powerpc uses arch_unmap() well to watch for munmap() on the
VDSO and zeroes out 'current->mm->context.vdso_base'. Moving
arch_unmap() makes this happen earlier in __do_munmap(). But,
'vdso_base' seems to only be used in perf and in the signal
delivery that happens near the return to userspace. I can not
find any likely impact to powerpc, other than the zeroing
happening a little earlier.
powerpc does not use the 'vma' argument and is unaffected by
its removal.
I compile-tested a 64-bit powerpc defconfig.
== x86 impact ==
For the common success case this is functionally identical to
what was there before. For the munmap() failure case, it's
possible that some MPX tables will be zapped for memory that
continues to be in use. But, this is an extraordinarily
unlikely scenario and the harm would be that MPX provides no
protection since the bounds table got reset (zeroed).
I can't imagine anyone doing this:
ptr = mmap();
// use ptr
ret = munmap(ptr);
if (ret)
// oh, there was an error, I'll
// keep using ptr.
Because if you're doing munmap(), you are *done* with the
memory. There's probably no good data in there _anyway_.
This passes the original reproducer from Richard Biener as
well as the existing mpx selftests/.
The long story:
munmap() has a couple of pieces:
1. Find the affected VMA(s)
2. Split the start/end one(s) if neceesary
3. Pull the VMAs out of the rbtree
4. Actually zap the memory via unmap_region(), including
freeing page tables (or queueing them to be freed).
5. Fix up some of the accounting (like fput()) and actually
free the VMA itself.
This specific ordering was actually introduced by:
dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
during the 4.20 merge window. The previous __do_munmap() code
was actually safe because the only thing after arch_unmap() was
remove_vma_list(). arch_unmap() could not see 'vma' in the
rbtree because it was detached, so it is not even capable of
doing operations unsafe for remove_vma_list()'s use of 'vma'.
Richard Biener reported a test that shows this in dmesg:
[1216548.787498] BUG: Bad rss-counter state mm:0000000017ce560b idx:1 val:551
[1216548.787500] BUG: non-zero pgtables_bytes on freeing mm: 24576
What triggered this was the recursive do_munmap() called via
arch_unmap(). It was freeing page tables that has not been
properly zapped.
But, the problem was bigger than this. For one, arch_unmap()
can free VMAs. But, the calling __do_munmap() has variables
that *point* to VMAs and obviously can't handle them just
getting freed while the pointer is still in use.
I tried a couple of things here. First, I tried to fix the page
table freeing problem in isolation, but I then found the VMA
issue. I also tried having the MPX code return a flag if it
modified the rbtree which would force __do_munmap() to re-walk
to restart. That spiralled out of control in complexity pretty
fast.
Just moving arch_unmap() and accepting that the bonkers failure
case might eat some bounds tables seems like the simplest viable
fix.
This was also reported in the following kernel bugzilla entry:
https://bugzilla.kernel.org/show_bug.cgi?id=203123
There are some reports that this commit triggered this bug:
dd2283f2605 ("mm: mmap: zap pages with read mmap_sem in munmap")
While that commit certainly made the issues easier to hit, I believe
the fundamental issue has been with us as long as MPX itself, thus
the Fixes: tag below is for one of the original MPX commits.
[ mingo: Minor edits to the changelog and the patch. ]
Reported-by: Richard Biener <rguenther@suse.de>
Reported-by: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Guan Xuetao <gxt@pku.edu.cn>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Rik van Riel <riel@surriel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: linux-arch@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: linux-um@lists.infradead.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: stable@vger.kernel.org
Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
Link: http://lkml.kernel.org/r/20190419194747.5E1AD6DC@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/mmu_context.h | 1 -
arch/um/include/asm/mmu_context.h | 1 -
arch/unicore32/include/asm/mmu_context.h | 1 -
arch/x86/include/asm/mmu_context.h | 6 +++---
arch/x86/include/asm/mpx.h | 15 ++++++++-------
arch/x86/mm/mpx.c | 10 ++++++----
include/asm-generic/mm_hooks.h | 1 -
mm/mmap.c | 15 ++++++++-------
8 files changed, 25 insertions(+), 25 deletions(-)
--- a/arch/powerpc/include/asm/mmu_context.h
+++ b/arch/powerpc/include/asm/mmu_context.h
@@ -237,7 +237,6 @@ extern void arch_exit_mmap(struct mm_str
#endif
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
if (start <= mm->context.vdso_base && mm->context.vdso_base < end)
--- a/arch/um/include/asm/mmu_context.h
+++ b/arch/um/include/asm/mmu_context.h
@@ -22,7 +22,6 @@ static inline int arch_dup_mmap(struct m
}
extern void arch_exit_mmap(struct mm_struct *mm);
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/unicore32/include/asm/mmu_context.h
+++ b/arch/unicore32/include/asm/mmu_context.h
@@ -88,7 +88,6 @@ static inline int arch_dup_mmap(struct m
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -277,8 +277,8 @@ static inline void arch_bprm_mm_init(str
mpx_mm_init(mm);
}
-static inline void arch_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+static inline void arch_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
/*
* mpx_notify_unmap() goes and reads a rarely-hot
@@ -298,7 +298,7 @@ static inline void arch_unmap(struct mm_
* consistently wrong.
*/
if (unlikely(cpu_feature_enabled(X86_FEATURE_MPX)))
- mpx_notify_unmap(mm, vma, start, end);
+ mpx_notify_unmap(mm, start, end);
}
/*
--- a/arch/x86/include/asm/mpx.h
+++ b/arch/x86/include/asm/mpx.h
@@ -64,12 +64,15 @@ struct mpx_fault_info {
};
#ifdef CONFIG_X86_INTEL_MPX
-int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
-int mpx_handle_bd_fault(void);
+
+extern int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs);
+extern int mpx_handle_bd_fault(void);
+
static inline int kernel_managing_mpx_tables(struct mm_struct *mm)
{
return (mm->context.bd_addr != MPX_INVALID_BOUNDS_DIR);
}
+
static inline void mpx_mm_init(struct mm_struct *mm)
{
/*
@@ -78,11 +81,10 @@ static inline void mpx_mm_init(struct mm
*/
mm->context.bd_addr = MPX_INVALID_BOUNDS_DIR;
}
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end);
-unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len,
- unsigned long flags);
+extern void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, unsigned long end);
+extern unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len, unsigned long flags);
+
#else
static inline int mpx_fault_info(struct mpx_fault_info *info, struct pt_regs *regs)
{
@@ -100,7 +102,6 @@ static inline void mpx_mm_init(struct mm
{
}
static inline void mpx_notify_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/arch/x86/mm/mpx.c
+++ b/arch/x86/mm/mpx.c
@@ -881,9 +881,10 @@ static int mpx_unmap_tables(struct mm_st
* the virtual address region start...end have already been split if
* necessary, and the 'vma' is the first vma in this range (start -> end).
*/
-void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma,
- unsigned long start, unsigned long end)
+void mpx_notify_unmap(struct mm_struct *mm, unsigned long start,
+ unsigned long end)
{
+ struct vm_area_struct *vma;
int ret;
/*
@@ -902,11 +903,12 @@ void mpx_notify_unmap(struct mm_struct *
* which should not occur normally. Being strict about it here
* helps ensure that we do not have an exploitable stack overflow.
*/
- do {
+ vma = find_vma(mm, start);
+ while (vma && vma->vm_start < end) {
if (vma->vm_flags & VM_MPX)
return;
vma = vma->vm_next;
- } while (vma && vma->vm_start < end);
+ }
ret = mpx_unmap_tables(mm, start, end);
if (ret)
--- a/include/asm-generic/mm_hooks.h
+++ b/include/asm-generic/mm_hooks.h
@@ -18,7 +18,6 @@ static inline void arch_exit_mmap(struct
}
static inline void arch_unmap(struct mm_struct *mm,
- struct vm_area_struct *vma,
unsigned long start, unsigned long end)
{
}
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2736,9 +2736,17 @@ int __do_munmap(struct mm_struct *mm, un
return -EINVAL;
len = PAGE_ALIGN(len);
+ end = start + len;
if (len == 0)
return -EINVAL;
+ /*
+ * arch_unmap() might do unmaps itself. It must be called
+ * and finish any rbtree manipulation before this code
+ * runs and also starts to manipulate the rbtree.
+ */
+ arch_unmap(mm, start, end);
+
/* Find the first overlapping VMA */
vma = find_vma(mm, start);
if (!vma)
@@ -2747,7 +2755,6 @@ int __do_munmap(struct mm_struct *mm, un
/* we have start < vma->vm_end */
/* if it doesn't overlap, we have nothing.. */
- end = start + len;
if (vma->vm_start >= end)
return 0;
@@ -2817,12 +2824,6 @@ int __do_munmap(struct mm_struct *mm, un
/* Detach vmas from rbtree */
detach_vmas_to_be_unmapped(mm, vma, prev, end);
- /*
- * mpx unmap needs to be called with mmap_sem held for write.
- * It is safe to call it before unmap_region().
- */
- arch_unmap(mm, vma, start, end);
-
if (downgrade)
downgrade_write(&mm->mmap_sem);
_______________________________________________
linux-um mailing list
linux-um@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-um
next prev parent reply other threads:[~2019-05-23 19:23 UTC|newest]
Thread overview: 156+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-23 19:04 [PATCH 5.0 000/139] 5.0.19-stable review Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 001/139] ipv6: fix src addr routing with the exception table Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 002/139] ipv6: prevent possible fib6 leaks Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 003/139] net: Always descend into dsa/ Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 004/139] net: avoid weird emergency message Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 005/139] net/mlx4_core: Change the error print to info print Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 006/139] net: test nouarg before dereferencing zerocopy pointers Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 007/139] net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 008/139] nfp: flower: add rcu locks when accessing netdev for tunnels Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 009/139] ppp: deflate: Fix possible crash in deflate_init Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 010/139] rtnetlink: always put IFLA_LINK for links with a link-netnsid Greg Kroah-Hartman
2019-05-23 19:04 ` [PATCH 5.0 011/139] tipc: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 012/139] vsock/virtio: free packets during the socket release Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 013/139] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 014/139] vsock/virtio: Initialize core virtio vsock before registering the driver Greg Kroah-Hartman
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 015/139] net/mlx5e: Add missing ethtool driver info for representors Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 016/139] net/mlx5e: Additional check for flow destination comparison Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 017/139] net/mlx5: Imply MLXFW in mlx5_core Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 018/139] net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 019/139] mm/gup: Remove the write parameter from gup_fast_permitted() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 020/139] blk-mq: free hw queues resource in hctxs release handler Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 021/139] regulator: core: fix error path for regulator_set_voltage_unlocked Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 022/139] parisc: Export running_on_qemu symbol for modules Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 023/139] parisc: Add memory clobber to TLB purges Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 024/139] parisc: Skip registering LED when running in QEMU Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 025/139] parisc: Add memory barrier to asm pdc and sync instructions Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 026/139] parisc: Allow live-patching of __meminit functions Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 027/139] parisc: Use PA_ASM_LEVEL in boot code Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 028/139] parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 029/139] stm class: Fix channel free in stm output free path Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 030/139] stm class: Fix channel bitmap on 32-bit systems Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 031/139] brd: re-enable __GFP_HIGHMEM in brd_insert_page() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 032/139] proc: prevent changes to overridden credentials Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 033/139] Revert "MD: fix lock contention for flush bios" Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 034/139] md: batch flush requests Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 035/139] md: add mddev->pers to avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 036/139] md: add a missing endianness conversion in check_sb_changes Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 037/139] dcache: sort the freeing-without-RCU-delay mess for good Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 038/139] intel_th: msu: Fix single mode with IOMMU Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 039/139] p54: drop device reference count if fails to enable device Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 040/139] of: fix clang -Wunsequenced for be32_to_cpu() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 041/139] brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11 mini PCs Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 042/139] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 043/139] phy: ti-pipe3: fix missing bit-wise or operator when assigning val Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 044/139] media: ov6650: Fix sensor possibly not detected on probe Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 045/139] media: imx: csi: Allow unknown nearest upstream entities Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 046/139] media: imx: Clear fwnode link struct for each endpoint iteration Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 047/139] RDMA/mlx5: Use get_zeroed_page() for clock_info Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 048/139] RDMA/ipoib: Allow user space differentiate between valid dev_port Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 049/139] NFS4: Fix v4.0 client state corruption when mount Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 050/139] PNFS fallback to MDS if no deviceid found Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 051/139] clk: hi3660: Mark clk_gate_ufs_subsys as critical Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 052/139] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 053/139] clk: mediatek: Disable tuner_en before change PLL rate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 054/139] clk: rockchip: fix wrong clock definitions for rk3328 Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 055/139] udlfb: delete the unused parameter for dlfb_handle_damage Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 056/139] udlfb: fix sleeping inside spinlock Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 057/139] udlfb: introduce a rendering mutex Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 058/139] fuse: fix writepages on 32bit Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 059/139] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 060/139] ovl: fix missing upper fs freeze protection on copy up for ioctl Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 061/139] gcc-plugins: arm_ssp_per_task_plugin: Fix for older GCC < 6 Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 062/139] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 063/139] ceph: flush dirty inodes before proceeding with remount Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 064/139] x86_64: Add gap to int3 to allow for call emulation Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 065/139] x86_64: Allow breakpoints to emulate call instructions Greg Kroah-Hartman
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` gregkh
2019-05-23 19:05 ` [PATCH 5.0 066/139] ftrace/x86_64: Emulate call function while updating in breakpoint handler Greg Kroah-Hartman
2019-05-23 19:05 ` Greg Kroah-Hartman
2019-05-23 19:05 ` gregkh
2019-05-23 19:05 ` [PATCH 5.0 067/139] tracing: Fix partial reading of trace events id file Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 068/139] tracing: probeevent: Fix to make the type of $comm string Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 069/139] memory: tegra: Fix integer overflow on tick value calculation Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 070/139] perf intel-pt: Fix instructions sampling rate Greg Kroah-Hartman
2019-05-23 19:05 ` [PATCH 5.0 071/139] perf intel-pt: Fix improved sample timestamp Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 072/139] perf intel-pt: Fix sample timestamp wrt non-taken branches Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 073/139] MIPS: perf: Fix build with CONFIG_CPU_BMIPS5000 enabled Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 074/139] objtool: Allow AR to be overridden with HOSTAR Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman [this message]
2019-05-23 19:06 ` [PATCH 5.0 075/139] x86/mpx, mm/core: Fix recursive munmap() corruption Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 076/139] fbdev/efifb: Ignore framebuffer memmap entries that lack any memory types Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 077/139] fbdev: sm712fb: fix brightness control on reboot, dont set SR30 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 078/139] fbdev: sm712fb: fix VRAM detection, dont set SR70/71/74/75 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 079/139] fbdev: sm712fb: fix white screen of death on reboot, dont set CR3B-CR3F Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 080/139] fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 081/139] fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 082/139] fbdev: sm712fb: fix support for 1024x768-16 mode Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 083/139] fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 084/139] fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 085/139] PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 086/139] PCI: Mark Atheros AR9462 to avoid bus reset Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 087/139] PCI: Reset Lenovo ThinkPad P50 nvgpu at boot if necessary Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 088/139] PCI: Init PCIe feature bits for managed host bridge alloc Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 089/139] PCI/AER: Change pci_aer_init() stub to return void Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 090/139] PCI: rcar: Add the initialization of PCIe link in resume_noirq() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 091/139] PCI: Factor out pcie_retrain_link() function Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 092/139] PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 093/139] dm cache metadata: Fix loading discard bitset Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 094/139] dm zoned: Fix zone report handling Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 095/139] dm delay: fix a crash when invalid device is specified Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 096/139] dm crypt: move detailed message into debug level Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 097/139] dm integrity: correctly calculate the size of metadata area Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 098/139] dm mpath: always free attached_handler_name in parse_path() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 099/139] fuse: Add FOPEN_STREAM to use stream_open() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 100/139] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 101/139] xfrm: Reset secpath in xfrm failure Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 102/139] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 103/139] vti4: ipip tunnel deregistration fixes Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 104/139] xfrm: clean up xfrm protocol checks Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 105/139] esp4: add length check for UDP encapsulation Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 106/139] xfrm: Honor original L3 slave device in xfrmi policy lookup Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 107/139] xfrm4: Fix uninitialized memory read in _decode_session4 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 108/139] ARC: PAE40: dont panic and instead turn off hw ioc Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 109/139] clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 110/139] KVM: PPC: Book3S HV: Perserve PSSCR FAKE_SUSPEND bit on guest exit Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 111/139] KVM: PPC: Book3S: Protect memslots while validating user address Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 112/139] power: supply: cpcap-battery: Fix division by zero Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 113/139] securityfs: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 114/139] apparmorfs: " Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 115/139] PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 116/139] x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012 Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 117/139] mac80211: Fix kernel panic due to use of txq after free Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 118/139] net: ieee802154: fix missing checks for regmap_update_bits Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 119/139] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 120/139] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 121/139] tools: bpftool: fix infinite loop in map create Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 122/139] bpf: Fix preempt_enable_no_resched() abuse Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 123/139] qmi_wwan: new Wistron, ZTE and D-Link devices Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 124/139] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 125/139] sched/cpufreq: Fix kobject memleak Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 126/139] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 127/139] KVM: fix KVM_CLEAR_DIRTY_LOG for memory slots of unaligned size Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 128/139] KVM: selftests: make hyperv_cpuid test pass on AMD Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 129/139] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 130/139] i2c: designware: ratelimit transfer when suspended errors Greg Kroah-Hartman
2019-05-23 19:06 ` [PATCH 5.0 131/139] perf bench numa: Add define for RUSAGE_THREAD if not present Greg Kroah-Hartman
2019-05-23 19:06 ` Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 132/139] perf cs-etm: Always allocate memory for cs_etm_queue::prev_packet Greg Kroah-Hartman
2019-05-23 19:07 ` Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 133/139] perf/x86/intel: Fix race in intel_pmu_disable_event() Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 134/139] Revert "Dont jump to compute_result state from check_result state" Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 135/139] md/raid: raid5 preserve the writeback action after the parity check Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 136/139] driver core: Postpone DMA tear-down until after devres release for probe failure Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 137/139] bpf: relax inode permission check for retrieving bpf program Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 138/139] bpf: add map_lookup_elem_sys_only for lookups from syscall side Greg Kroah-Hartman
2019-05-23 19:07 ` [PATCH 5.0 139/139] bpf, lru: avoid messing with eviction heuristics upon syscall lookup Greg Kroah-Hartman
2019-05-24 3:08 ` [PATCH 5.0 000/139] 5.0.19-stable review kernelci.org bot
2019-05-24 8:52 ` Naresh Kamboju
2019-05-24 11:05 ` Jon Hunter
2019-05-24 11:05 ` Jon Hunter
2019-05-24 18:54 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190523181730.571246299@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=anton.ivanov@cambridgegreys.com \
--cc=benh@kernel.crashing.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=gxt@pku.edu.cn \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jdike@addtoit.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-um@lists.infradead.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@kernel.org \
--cc=mhocko@suse.com \
--cc=mingo@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=rguenther@suse.de \
--cc=richard@nod.at \
--cc=riel@surriel.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=yang.shi@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.