From: Greg Kroah-Hartman Date: Fri, 13 May 2022 09:05:55 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.9.314~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53e0ac6ca35502eadb74124bc39a1e8ae06b84b4;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: mm-fix-missing-cache-flush-for-all-tail-pages-of-compound-page.patch mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch --- diff --git a/queue-5.4/mm-fix-missing-cache-flush-for-all-tail-pages-of-compound-page.patch b/queue-5.4/mm-fix-missing-cache-flush-for-all-tail-pages-of-compound-page.patch new file mode 100644 index 00000000000..0b28dd31f67 --- /dev/null +++ b/queue-5.4/mm-fix-missing-cache-flush-for-all-tail-pages-of-compound-page.patch @@ -0,0 +1,63 @@ +From 2771739a7162782c0aa6424b2e3dd874e884a15d Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Tue, 22 Mar 2022 14:41:56 -0700 +Subject: mm: fix missing cache flush for all tail pages of compound page + +From: Muchun Song + +commit 2771739a7162782c0aa6424b2e3dd874e884a15d upstream. + +The D-cache maintenance inside move_to_new_page() only consider one +page, there is still D-cache maintenance issue for tail pages of +compound page (e.g. THP or HugeTLB). + +THP migration is only enabled on x86_64, ARM64 and powerpc, while +powerpc and arm64 need to maintain the consistency between I-Cache and +D-Cache, which depends on flush_dcache_page() to maintain the +consistency between I-Cache and D-Cache. + +But there is no issues on arm64 and powerpc since they already considers +the compound page cache flushing in their icache flush function. +HugeTLB migration is enabled on arm, arm64, mips, parisc, powerpc, +riscv, s390 and sh, while arm has handled the compound page cache flush +in flush_dcache_page(), but most others do not. + +In theory, the issue exists on many architectures. Fix this by not +using flush_dcache_folio() since it is not backportable. + +Link: https://lkml.kernel.org/r/20220210123058.79206-3-songmuchun@bytedance.com +Fixes: 290408d4a250 ("hugetlb: hugepage migration core") +Signed-off-by: Muchun Song +Reviewed-by: Zi Yan +Cc: Axel Rasmussen +Cc: David Rientjes +Cc: Fam Zheng +Cc: Kirill A. Shutemov +Cc: Lars Persson +Cc: Mike Kravetz +Cc: Peter Xu +Cc: Xiongchun Duan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -994,9 +994,12 @@ static int move_to_new_page(struct page + if (!PageMappingFlags(page)) + page->mapping = NULL; + +- if (likely(!is_zone_device_page(newpage))) +- flush_dcache_page(newpage); ++ if (likely(!is_zone_device_page(newpage))) { ++ int i, nr = compound_nr(newpage); + ++ for (i = 0; i < nr; i++) ++ flush_dcache_page(newpage + i); ++ } + } + out: + return rc; diff --git a/queue-5.4/mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch b/queue-5.4/mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch new file mode 100644 index 00000000000..15cc856c29b --- /dev/null +++ b/queue-5.4/mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch @@ -0,0 +1,47 @@ +From e763243cc6cb1fcc720ec58cfd6e7c35ae90a479 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Tue, 22 Mar 2022 14:41:59 -0700 +Subject: mm: hugetlb: fix missing cache flush in copy_huge_page_from_user() + +From: Muchun Song + +commit e763243cc6cb1fcc720ec58cfd6e7c35ae90a479 upstream. + +userfaultfd calls copy_huge_page_from_user() which does not do any cache +flushing for the target page. Then the target page will be mapped to +the user space with a different address (user address), which might have +an alias issue with the kernel address used to copy the data from the +user to. + +Fix this issue by flushing dcache in copy_huge_page_from_user(). + +Link: https://lkml.kernel.org/r/20220210123058.79206-4-songmuchun@bytedance.com +Fixes: fa4d75c1de13 ("userfaultfd: hugetlbfs: add copy_huge_page_from_user for hugetlb userfaultfd support") +Signed-off-by: Muchun Song +Reviewed-by: Mike Kravetz +Cc: Axel Rasmussen +Cc: David Rientjes +Cc: Fam Zheng +Cc: Kirill A. Shutemov +Cc: Lars Persson +Cc: Peter Xu +Cc: Xiongchun Duan +Cc: Zi Yan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4801,6 +4801,8 @@ long copy_huge_page_from_user(struct pag + if (rc) + break; + ++ flush_dcache_page(subpage); ++ + cond_resched(); + } + return ret_val; diff --git a/queue-5.4/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch b/queue-5.4/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch new file mode 100644 index 00000000000..6c9efde4795 --- /dev/null +++ b/queue-5.4/mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch @@ -0,0 +1,55 @@ +From 7c25a0b89a487878b0691e6524fb5a8827322194 Mon Sep 17 00:00:00 2001 +From: Muchun Song +Date: Tue, 22 Mar 2022 14:42:08 -0700 +Subject: mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic() + +From: Muchun Song + +commit 7c25a0b89a487878b0691e6524fb5a8827322194 upstream. + +userfaultfd calls mcopy_atomic_pte() and __mcopy_atomic() which do not +do any cache flushing for the target page. Then the target page will be +mapped to the user space with a different address (user address), which +might have an alias issue with the kernel address used to copy the data +from the user to. Fix this by insert flush_dcache_page() after +copy_from_user() succeeds. + +Link: https://lkml.kernel.org/r/20220210123058.79206-7-songmuchun@bytedance.com +Fixes: b6ebaedb4cb1 ("userfaultfd: avoid mmap_sem read recursion in mcopy_atomic") +Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation") +Signed-off-by: Muchun Song +Cc: Axel Rasmussen +Cc: David Rientjes +Cc: Fam Zheng +Cc: Kirill A. Shutemov +Cc: Lars Persson +Cc: Mike Kravetz +Cc: Peter Xu +Cc: Xiongchun Duan +Cc: Zi Yan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/userfaultfd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/userfaultfd.c ++++ b/mm/userfaultfd.c +@@ -53,6 +53,8 @@ static int mcopy_atomic_pte(struct mm_st + /* don't free the page */ + goto out; + } ++ ++ flush_dcache_page(page); + } else { + page = *pagep; + *pagep = NULL; +@@ -572,6 +574,7 @@ retry: + err = -EFAULT; + goto out; + } ++ flush_dcache_page(page); + goto retry; + } else + BUG_ON(page); diff --git a/queue-5.4/series b/queue-5.4/series index 5fb624d799f..cea13ab40c5 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -13,3 +13,6 @@ x86-xen-insn-decode-xen-and-kvm-emulate-prefix-signature.patch x86-kprobes-prohibit-probing-on-instruction-which-has-emulate-prefix.patch kvm-x86-svm-account-for-family-17h-event-renumberings-in-amd_pmc_perf_hw_id.patch bluetooth-fix-the-creation-of-hdev-name.patch +mm-fix-missing-cache-flush-for-all-tail-pages-of-compound-page.patch +mm-hugetlb-fix-missing-cache-flush-in-copy_huge_page_from_user.patch +mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.patch