4.19-stable patches

added patches:
	mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch
	mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch

diff --git a/queue-4.19/mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch b/queue-4.19/mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch
new file mode 100644 (file)
index 0000000..e98312f
--- /dev/null
+++ b/queue-4.19/mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch
@@ -0,0 +1,47 @@
+From e763243cc6cb1fcc720ec58cfd6e7c35ae90a479 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Tue, 22 Mar 2022 14:41:59 -0700
+Subject: mm: hugetlb: fix missing cache flush in copy_huge_page_from_user()
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit e763243cc6cb1fcc720ec58cfd6e7c35ae90a479 upstream.
+
+userfaultfd calls copy_huge_page_from_user() which does not do any cache
+flushing for the target page.  Then the target page will be mapped to
+the user space with a different address (user address), which might have
+an alias issue with the kernel address used to copy the data from the
+user to.
+
+Fix this issue by flushing dcache in copy_huge_page_from_user().
+
+Link: https://lkml.kernel.org/r/20220210123058.79206-4-songmuchun@bytedance.com
+Fixes: fa4d75c1de13 ("userfaultfd: hugetlbfs: add copy_huge_page_from_user for hugetlb userfaultfd support")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Fam Zheng <fam.zheng@bytedance.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Lars Persson <lars.persson@axis.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Xiongchun Duan <duanxiongchun@bytedance.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -4978,6 +4978,8 @@ long copy_huge_page_from_user(struct pag
+               if (rc)
+                       break;
+ 
++              flush_dcache_page(subpage);
++
+               cond_resched();
+       }
+       return ret_val;

diff --git a/queue-4.19/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch b/queue-4.19/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch
new file mode 100644 (file)
index 0000000..4872586
--- /dev/null
+++ b/queue-4.19/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch
@@ -0,0 +1,55 @@
+From 7c25a0b89a487878b0691e6524fb5a8827322194 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Tue, 22 Mar 2022 14:42:08 -0700
+Subject: mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic()
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 7c25a0b89a487878b0691e6524fb5a8827322194 upstream.
+
+userfaultfd calls mcopy_atomic_pte() and __mcopy_atomic() which do not
+do any cache flushing for the target page.  Then the target page will be
+mapped to the user space with a different address (user address), which
+might have an alias issue with the kernel address used to copy the data
+from the user to.  Fix this by insert flush_dcache_page() after
+copy_from_user() succeeds.
+
+Link: https://lkml.kernel.org/r/20220210123058.79206-7-songmuchun@bytedance.com
+Fixes: b6ebaedb4cb1 ("userfaultfd: avoid mmap_sem read recursion in mcopy_atomic")
+Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation")
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Fam Zheng <fam.zheng@bytedance.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Lars Persson <lars.persson@axis.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Xiongchun Duan <duanxiongchun@bytedance.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/userfaultfd.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -55,6 +55,8 @@ static int mcopy_atomic_pte(struct mm_st
+                       /* don't free the page */
+                       goto out;
+               }
++
++              flush_dcache_page(page);
+       } else {
+               page = *pagep;
+               *pagep = NULL;
+@@ -574,6 +576,7 @@ retry:
+                               err = -EFAULT;
+                               goto out;
+                       }
++                      flush_dcache_page(page);
+                       goto retry;
+               } else
+                       BUG_ON(page);

diff --git a/queue-4.19/series b/queue-4.19/series
index 0a11bee17c2bf3d862a623e204352f387909de9d..41b9155c01a60936e6922dad2d61e551cbaf4ea7 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -10,3 +10,5 @@ alsa-pcm-fix-races-among-concurrent-read-write-and-buffer-changes.patch
 alsa-pcm-fix-races-among-concurrent-prepare-and-hw_params-hw_free-calls.patch
 alsa-pcm-fix-races-among-concurrent-prealloc-proc-writes.patch
 alsa-pcm-fix-potential-ab-ba-lock-with-buffer_mutex-and-mmap_lock.patch
+mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch
+mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch