From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 31 Aug 2022 19:20:54 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v4.9.327~66
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=171f7bb1564eae12af945823ef90d542415d014a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	mm-force-tlb-flush-for-pfnmap-mappings-before-unlink_file_vma.patch
---

diff --git a/queue-5.10/series b/queue-5.10/series
new file mode 100644
index 00000000000..bfcfae48adf
--- /dev/null
+++ b/queue-5.10/series
@@ -0,0 +1 @@
+mm-force-tlb-flush-for-pfnmap-mappings-before-unlink_file_vma.patch
diff --git a/queue-5.15/mm-force-tlb-flush-for-pfnmap-mappings-before-unlink_file_vma.patch b/queue-5.15/mm-force-tlb-flush-for-pfnmap-mappings-before-unlink_file_vma.patch
new file mode 100644
index 00000000000..fe814173c8d
--- /dev/null
+++ b/queue-5.15/mm-force-tlb-flush-for-pfnmap-mappings-before-unlink_file_vma.patch
@@ -0,0 +1,56 @@
+From jannh@google.com  Wed Aug 31 21:19:43 2022
+From: Jann Horn <jannh@google.com>
+Date: Wed, 31 Aug 2022 21:13:48 +0200
+Subject: mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
+To: stable@vger.kernel.org
+Cc: Peter Zijlstra <peterz@infradead.org>, Will Deacon <will@kernel.org>, Linus Torvalds <torvalds@linuxfoundation.org>
+Message-ID: <20220831191348.3388208-1-jannh@google.com>
+
+From: Jann Horn <jannh@google.com>
+
+commit b67fbebd4cf980aecbcc750e1462128bffe8ae15 upstream.
+
+Some drivers rely on having all VMAs through which a PFN might be
+accessible listed in the rmap for correctness.
+However, on X86, it was possible for a VMA with stale TLB entries
+to not be listed in the rmap.
+
+This was fixed in mainline with
+commit b67fbebd4cf9 ("mmu_gather: Force tlb-flush VM_PFNMAP vmas"),
+but that commit relies on preceding refactoring in
+commit 18ba064e42df3 ("mmu_gather: Let there be one tlb_{start,end}_vma()
+implementation") and commit 1e9fdf21a4339 ("mmu_gather: Remove per arch
+tlb_{start,end}_vma()").
+
+This patch provides equivalent protection without needing that
+refactoring, by forcing a TLB flush between removing PTEs in
+unmap_vmas() and the call to unlink_file_vma() in free_pgtables().
+
+[This is a stable-specific rewrite of the upstream commit!]
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mmap.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -2643,6 +2643,18 @@ static void unmap_region(struct mm_struc
+ 	tlb_gather_mmu(&tlb, mm);
+ 	update_hiwater_rss(mm);
+ 	unmap_vmas(&tlb, vma, start, end);
++
++	/*
++	 * Ensure we have no stale TLB entries by the time this mapping is
++	 * removed from the rmap.
++	 * Note that we don't have to worry about nested flushes here because
++	 * we're holding the mm semaphore for removing the mapping - so any
++	 * concurrent flush in this region has to be coming through the rmap,
++	 * and we synchronize against that using the rmap lock.
++	 */
++	if ((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) != 0)
++		tlb_flush_mmu(&tlb);
++
+ 	free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS,
+ 				 next ? next->vm_start : USER_PGTABLES_CEILING);
+ 	tlb_finish_mmu(&tlb);
diff --git a/queue-5.15/series b/queue-5.15/series
new file mode 100644
index 00000000000..bfcfae48adf
--- /dev/null
+++ b/queue-5.15/series
@@ -0,0 +1 @@
+mm-force-tlb-flush-for-pfnmap-mappings-before-unlink_file_vma.patch