From: Greg Kroah-Hartman Date: Fri, 13 May 2022 14:10:30 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.9.314~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6dae48a2d1ea6ca58e882f24a3abb90f4e844138;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: mm-fix-invalid-page-pointer-returned-with-foll_pin-gups.patch --- diff --git a/queue-5.17/mm-fix-invalid-page-pointer-returned-with-foll_pin-gups.patch b/queue-5.17/mm-fix-invalid-page-pointer-returned-with-foll_pin-gups.patch new file mode 100644 index 00000000000..113de8de6c3 --- /dev/null +++ b/queue-5.17/mm-fix-invalid-page-pointer-returned-with-foll_pin-gups.patch @@ -0,0 +1,79 @@ +From 7196040e19ad634293acd3eff7083149d7669031 Mon Sep 17 00:00:00 2001 +From: Peter Xu +Date: Tue, 22 Mar 2022 14:39:37 -0700 +Subject: mm: fix invalid page pointer returned with FOLL_PIN gups + +From: Peter Xu + +commit 7196040e19ad634293acd3eff7083149d7669031 upstream. + +Patch series "mm/gup: some cleanups", v5. + +This patch (of 5): + +Alex reported invalid page pointer returned with pin_user_pages_remote() +from vfio after upstream commit 4b6c33b32296 ("vfio/type1: Prepare for +batched pinning with struct vfio_batch"). + +It turns out that it's not the fault of the vfio commit; however after +vfio switches to a full page buffer to store the page pointers it starts +to expose the problem easier. + +The problem is for VM_PFNMAP vmas we should normally fail with an +-EFAULT then vfio will carry on to handle the MMIO regions. However +when the bug triggered, follow_page_mask() returned -EEXIST for such a +page, which will jump over the current page, leaving that entry in +**pages untouched. However the caller is not aware of it, hence the +caller will reference the page as usual even if the pointer data can be +anything. + +We had that -EEXIST logic since commit 1027e4436b6a ("mm: make GUP +handle pfn mapping unless FOLL_GET is requested") which seems very +reasonable. It could be that when we reworked GUP with FOLL_PIN we +could have overlooked that special path in commit 3faa52c03f44 ("mm/gup: +track FOLL_PIN pages"), even if that commit rightfully touched up +follow_devmap_pud() on checking FOLL_PIN when it needs to return an +-EEXIST. + +Attaching the Fixes to the FOLL_PIN rework commit, as it happened later +than 1027e4436b6a. + +[jhubbard@nvidia.com: added some tags, removed a reference to an out of tree module.] + +Link: https://lkml.kernel.org/r/20220207062213.235127-1-jhubbard@nvidia.com +Link: https://lkml.kernel.org/r/20220204020010.68930-1-jhubbard@nvidia.com +Link: https://lkml.kernel.org/r/20220204020010.68930-2-jhubbard@nvidia.com +Fixes: 3faa52c03f44 ("mm/gup: track FOLL_PIN pages") +Signed-off-by: Peter Xu +Signed-off-by: John Hubbard +Reviewed-by: Claudio Imbrenda +Reported-by: Alex Williamson +Debugged-by: Alex Williamson +Tested-by: Alex Williamson +Reviewed-by: Christoph Hellwig +Reviewed-by: Jan Kara +Cc: Andrea Arcangeli +Cc: Kirill A. Shutemov +Cc: Jason Gunthorpe +Cc: David Hildenbrand +Cc: Lukas Bulwahn +Cc: Matthew Wilcox (Oracle) +Cc: Jason Gunthorpe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + mm/gup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -465,7 +465,7 @@ static int follow_pfn_pte(struct vm_area + pte_t *pte, unsigned int flags) + { + /* No page to get reference */ +- if (flags & FOLL_GET) ++ if (flags & (FOLL_GET | FOLL_PIN)) + return -EFAULT; + + if (flags & FOLL_TOUCH) { diff --git a/queue-5.17/series b/queue-5.17/series index 12340dfef46..284e9e9710b 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -9,3 +9,4 @@ mm-userfaultfd-fix-missing-cache-flush-in-mcopy_atomic_pte-and-__mcopy_atomic.pa mm-hwpoison-fix-error-page-recovered-but-reported-not-recovered.patch mm-mlock-fix-potential-imbalanced-rlimit-ucounts-adjustment.patch mm-migrate-fix-establishing-demotion-target.patch +mm-fix-invalid-page-pointer-returned-with-foll_pin-gups.patch