--- /dev/null
+From f96f7a40874d7c746680c0b9f57cef2262ae551f Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Thu, 11 Aug 2022 12:34:34 +0200
+Subject: mm/hugetlb: fix hugetlb not supporting softdirty tracking
+
+From: David Hildenbrand <david@redhat.com>
+
+commit f96f7a40874d7c746680c0b9f57cef2262ae551f upstream.
+
+Patch series "mm/hugetlb: fix write-fault handling for shared mappings", v2.
+
+I observed that hugetlb does not support/expect write-faults in shared
+mappings that would have to map the R/O-mapped page writable -- and I
+found two case where we could currently get such faults and would
+erroneously map an anon page into a shared mapping.
+
+Reproducers part of the patches.
+
+I propose to backport both fixes to stable trees. The first fix needs a
+small adjustment.
+
+
+This patch (of 2):
+
+Staring at hugetlb_wp(), one might wonder where all the logic for shared
+mappings is when stumbling over a write-protected page in a shared
+mapping. In fact, there is none, and so far we thought we could get away
+with that because e.g., mprotect() should always do the right thing and
+map all pages directly writable.
+
+Looks like we were wrong:
+
+--------------------------------------------------------------------------
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <errno.h>
+ #include <sys/mman.h>
+
+ #define HUGETLB_SIZE (2 * 1024 * 1024u)
+
+ static void clear_softdirty(void)
+ {
+ int fd = open("/proc/self/clear_refs", O_WRONLY);
+ const char *ctrl = "4";
+ int ret;
+
+ if (fd < 0) {
+ fprintf(stderr, "open(clear_refs) failed\n");
+ exit(1);
+ }
+ ret = write(fd, ctrl, strlen(ctrl));
+ if (ret != strlen(ctrl)) {
+ fprintf(stderr, "write(clear_refs) failed\n");
+ exit(1);
+ }
+ close(fd);
+ }
+
+ int main(int argc, char **argv)
+ {
+ char *map;
+ int fd;
+
+ fd = open("/dev/hugepages/tmp", O_RDWR | O_CREAT);
+ if (!fd) {
+ fprintf(stderr, "open() failed\n");
+ return -errno;
+ }
+ if (ftruncate(fd, HUGETLB_SIZE)) {
+ fprintf(stderr, "ftruncate() failed\n");
+ return -errno;
+ }
+
+ map = mmap(NULL, HUGETLB_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr, "mmap() failed\n");
+ return -errno;
+ }
+
+ *map = 0;
+
+ if (mprotect(map, HUGETLB_SIZE, PROT_READ)) {
+ fprintf(stderr, "mmprotect() failed\n");
+ return -errno;
+ }
+
+ clear_softdirty();
+
+ if (mprotect(map, HUGETLB_SIZE, PROT_READ|PROT_WRITE)) {
+ fprintf(stderr, "mmprotect() failed\n");
+ return -errno;
+ }
+
+ *map = 0;
+
+ return 0;
+ }
+--------------------------------------------------------------------------
+
+Above test fails with SIGBUS when there is only a single free hugetlb page.
+ # echo 1 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
+ # ./test
+ Bus error (core dumped)
+
+And worse, with sufficient free hugetlb pages it will map an anonymous page
+into a shared mapping, for example, messing up accounting during unmap
+and breaking MAP_SHARED semantics:
+ # echo 2 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
+ # ./test
+ # cat /proc/meminfo | grep HugePages_
+ HugePages_Total: 2
+ HugePages_Free: 1
+ HugePages_Rsvd: 18446744073709551615
+ HugePages_Surp: 0
+
+Reason in this particular case is that vma_wants_writenotify() will
+return "true", removing VM_SHARED in vma_set_page_prot() to map pages
+write-protected. Let's teach vma_wants_writenotify() that hugetlb does not
+support softdirty tracking.
+
+Link: https://lkml.kernel.org/r/20220811103435.188481-1-david@redhat.com
+Link: https://lkml.kernel.org/r/20220811103435.188481-2-david@redhat.com
+Fixes: 64e455079e1b ("mm: softdirty: enable write notifications on VMAs after VM_SOFTDIRTY cleared")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Feiner <pfeiner@google.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Cyrill Gorcunov <gorcunov@openvz.org>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Jamie Liu <jamieliu@google.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: <stable@vger.kernel.org> [3.18+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mmap.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -1593,8 +1593,12 @@ int vma_wants_writenotify(struct vm_area
+ pgprot_val(vm_pgprot_modify(vm_page_prot, vm_flags)))
+ return 0;
+
+- /* Do we need to track softdirty? */
+- if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY))
++ /*
++ * Do we need to track softdirty? hugetlb does not support softdirty
++ * tracking yet.
++ */
++ if (IS_ENABLED(CONFIG_MEM_SOFT_DIRTY) && !(vm_flags & VM_SOFTDIRTY) &&
++ !is_vm_hugetlb_page(vma))
+ return 1;
+
+ /* Specialty mapping? */
projects / thirdparty / kernel / stable-queue.git / commitdiff
