From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Ido Schimmel <idosch@idosch.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.14 029/100] mm/memory.c: recheck page table entry with page table lock held
Date: Thu, 29 Nov 2018 15:11:59 +0100 [thread overview]
Message-ID: <20181129140101.264750396@linuxfoundation.org> (raw)
In-Reply-To: <20181129140058.768942700@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
commit ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 upstream.
We clear the pte temporarily during read/modify/write update of the pte.
If we take a page fault while the pte is cleared, the application can get
SIGBUS. One such case is with remap_pfn_range without a backing
vm_ops->fault callback. do_fault will return SIGBUS in that case.
cpu 0 cpu1
mprotect()
ptep_modify_prot_start()/pte cleared.
.
. page fault.
.
.
prep_modify_prot_commit()
Fix this by taking page table lock and rechecking for pte_none.
[aneesh.kumar@linux.ibm.com: fix crash observed with syzkaller run]
Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@linux.ibm.com
Link: http://lkml.kernel.org/r/20180926031858.9692-1-aneesh.kumar@linux.ibm.com
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Ido Schimmel <idosch@idosch.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory.c | 34 ++++++++++++++++++++++++++++++----
1 file changed, 30 insertions(+), 4 deletions(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3697,10 +3697,36 @@ static int do_fault(struct vm_fault *vmf
struct vm_area_struct *vma = vmf->vma;
int ret;
- /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
- if (!vma->vm_ops->fault)
- ret = VM_FAULT_SIGBUS;
- else if (!(vmf->flags & FAULT_FLAG_WRITE))
+ /*
+ * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND
+ */
+ if (!vma->vm_ops->fault) {
+ /*
+ * If we find a migration pmd entry or a none pmd entry, which
+ * should never happen, return SIGBUS
+ */
+ if (unlikely(!pmd_present(*vmf->pmd)))
+ ret = VM_FAULT_SIGBUS;
+ else {
+ vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm,
+ vmf->pmd,
+ vmf->address,
+ &vmf->ptl);
+ /*
+ * Make sure this is not a temporary clearing of pte
+ * by holding ptl and checking again. A R/M/W update
+ * of pte involves: take ptl, clearing the pte so that
+ * we don't have concurrent modification by hardware
+ * followed by an update.
+ */
+ if (unlikely(pte_none(*vmf->pte)))
+ ret = VM_FAULT_SIGBUS;
+ else
+ ret = VM_FAULT_NOPAGE;
+
+ pte_unmap_unlock(vmf->pte, vmf->ptl);
+ }
+ } else if (!(vmf->flags & FAULT_FLAG_WRITE))
ret = do_read_fault(vmf);
else if (!(vma->vm_flags & VM_SHARED))
ret = do_cow_fault(vmf);
next prev parent reply other threads:[~2018-11-29 14:25 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-29 14:11 [PATCH 4.14 000/100] 4.14.85-stable review Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 001/100] efi/libstub: arm: support building with clang Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 002/100] ARM: 8766/1: drop no-thumb-interwork in EABI mode Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 003/100] ARM: 8767/1: add support for building ARM kernel with clang Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 004/100] bus: arm-cci: remove unnecessary unreachable() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 005/100] ARM: trusted_foundations: do not use naked function Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 006/100] usb: core: Fix hub port connection events lost Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 007/100] usb: dwc3: gadget: fix ISOC TRB type on unaligned transfers Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 008/100] usb: dwc3: gadget: Properly check last unaligned/zero chain TRB Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 009/100] usb: dwc3: core: Clean up ULPI device Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 010/100] xhci: Add check for invalid byte size error when UAS devices are connected Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 011/100] usb: xhci: fix timeout for transition from RExit to U0 Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 012/100] ALSA: oss: Use kvzalloc() for local buffer allocations Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 013/100] MAINTAINERS: Add Sasha as a stable branch maintainer Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 014/100] mmc: sdhci-pci: Try "cd" for card-detect lookup before using NULL Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 015/100] gpio: dont free unallocated ida on gpiochip_add_data_with_key() error path Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 016/100] iwlwifi: mvm: support sta_statistics() even on older firmware Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 017/100] iwlwifi: mvm: fix regulatory domain update when the firmware starts Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 018/100] iwlwifi: mvm: dont use SAR Geo if basic SAR is not used Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 019/100] brcmfmac: fix reporting support for 160 MHz channels Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 020/100] tools/power/cpupower: fix compilation with STATIC=true Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 021/100] v9fs_dir_readdir: fix double-free on p9stat_read error Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 022/100] selinux: Add __GFP_NOWARN to allocation at str_read() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 023/100] Input: synaptics - avoid using uninitialized variable when probing Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 024/100] bfs: add sanity check at bfs_fill_super() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 025/100] sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 026/100] gfs2: Dont leave s_fs_info pointing to freed memory in init_sbd Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 027/100] llc: do not use sk_eat_skb() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 4.14 028/100] mm: dont warn about large allocations for slab Greg Kroah-Hartman
2018-11-29 14:11 ` Greg Kroah-Hartman [this message]
2018-11-29 14:12 ` [PATCH 4.14 030/100] tcp: do not release socket ownership in tcp_close() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 031/100] IB/core: Perform modify QP on real one Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 032/100] usb: xhci: Prevent bus suspend if a port connect change or polling state is detected Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 033/100] drm/ast: change resolution may cause screen blurred Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 034/100] drm/ast: fixed cursor may disappear sometimes Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 035/100] drm/ast: Remove existing framebuffers before loading driver Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 036/100] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 037/100] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 038/100] can: dev: __can_get_echo_skb(): Dont crash the kernel if can_priv::echo_skb is accessed out of bounds Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 039/100] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 040/100] can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 041/100] can: rx-offload: rename can_rx_offload_irq_queue_err_skb() to can_rx_offload_queue_tail() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 042/100] can: raw: check for CAN FD capable netdev in raw_sendmsg() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 043/100] can: hi311x: Use level-triggered interrupt Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 044/100] ACPICA: AML interpreter: add region addresses in global list during initialization Greg Kroah-Hartman
2018-11-29 14:45 ` Jean Delvare
2018-11-29 15:01 ` Greg Kroah-Hartman
2018-11-29 18:56 ` Schmauss, Erik
2018-11-29 19:21 ` Greg Kroah-Hartman
2018-11-29 19:34 ` Jean Delvare
2018-11-29 19:36 ` Schmauss, Erik
2018-11-30 8:03 ` Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 045/100] IB/hfi1: Eliminate races in the SDMA send error path Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 046/100] pinctrl: meson: fix pinconf bias disable Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 047/100] KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 048/100] cpufreq: imx6q: add return value check for voltage scale Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 049/100] rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 050/100] crypto: simd - correctly take reqsize of wrapped skcipher into account Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 051/100] floppy: fix race condition in __floppy_read_block_0() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 052/100] powerpc/io: Fix the IO workarounds code to work with Radix Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 053/100] perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 054/100] ARM: make lookup_processor_type() non-__init Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 055/100] ARM: clean up per-processor check_bugs method call Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 056/100] ARM: add PROC_VTABLE and PROC_TABLE macros Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 057/100] ARM: spectre-v2: per-CPU vtables to work around big.Little systems Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 058/100] SUNRPC: Fix a bogus get/put in generic_key_to_expire() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 059/100] kdb: Use strscpy with destination buffer size Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 060/100] powerpc/numa: Suppress "VPHN is not supported" messages Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 061/100] efi/arm: Revert deferred unmap of early memmap mapping Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 062/100] z3fold: fix possible reclaim races Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 063/100] tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 064/100] mm, page_alloc: check for max order in hot path Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 065/100] of: add helper to lookup compatible child node Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 066/100] NFC: nfcmrvl_uart: fix OF child-node lookup Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 067/100] net: bcmgenet: " Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 068/100] drm/mediatek: fix OF sibling-node lookup Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 069/100] power: supply: twl4030-charger: " Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 070/100] arm64: remove no-op -p linker flag Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 071/100] xhci: Allow more than 32 quirks Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 072/100] xhci: Add quirk to workaround the errata seen on Cavium Thunder-X2 Soc Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 073/100] mtd: rawnand: atmel: fix OF child-node lookup Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 074/100] ubi: fastmap: Check each mapping only once Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 075/100] Input: xpad - add PDP device id 0x02a4 Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 076/100] Input: xpad - fix some coding style issues Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 077/100] Input: xpad - avoid using __set_bit() for capabilities Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 078/100] Input: xpad - add support for Xbox1 PDP Camo series gamepad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 079/100] iwlwifi: fix wrong WGDS_WIFI_DATA_SIZE Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 080/100] kbuild: allow to use GCC toolchain not in Clang search path Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 081/100] PCI: endpoint: Populate func_no before calling pci_epc_add_epf() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 082/100] net/mlx4_core: Fix wrong calculation of free counters Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 083/100] i40iw: Fix memory leak in error path of create QP Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 084/100] rtc: omap: fix error path when pinctrl_register fails Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 085/100] clk: samsung: exynos5250: Add missing clocks for FIMC LITE SYSMMU devices Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 086/100] ARM: dts: exynos: Fix invalid node referenced by i2c20 alias in Peach Pit and Pi Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 087/100] driver core: Move device_links_purge() after bus_remove_device() Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 088/100] include/linux/pfn_t.h: force ~ to be parsed as an unary operator Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 4.14 089/100] tty: wipe buffer Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 090/100] tty: wipe buffer if not echoing data Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 091/100] usb: xhci: fix uninitialized completion when USB3 port got wrong status Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 092/100] namei: allow restricted O_CREAT of FIFOs and regular files Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 093/100] lan78xx: Read MAC address from DT if present Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 094/100] s390/mm: Check for valid vma before zapping in gmap_discard Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 095/100] rcu: Make need_resched() respond to urgent RCU-QS needs Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 096/100] net: ieee802154: 6lowpan: fix frag reassembly Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 097/100] ima: always measure and audit files in policy Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 098/100] EVM: Add support for portable signature format Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 099/100] ima: re-introduce own integrity cache lock Greg Kroah-Hartman
2018-11-29 14:13 ` [PATCH 4.14 100/100] ima: re-initialize iint->atomic_flags Greg Kroah-Hartman
2018-11-29 19:51 ` [PATCH 4.14 000/100] 4.14.85-stable review kernelci.org bot
2018-11-29 20:32 ` shuah
2018-11-30 7:12 ` Naresh Kamboju
2018-11-30 14:20 ` Guenter Roeck
2018-11-30 15:18 ` Greg Kroah-Hartman
2018-11-30 15:29 ` Greg Kroah-Hartman
2018-12-03 11:38 ` Jon Hunter
2018-11-30 22:28 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181129140101.264750396@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.ibm.com \
--cc=eric.dumazet@gmail.com \
--cc=idosch@idosch.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).