From: Sasha Levin <sashal@kernel.org>
Date: Mon, 12 Dec 2022 03:05:34 +0000 (-0500)
Subject: Drop khugepaged backports from older trees
X-Git-Tag: v4.9.336~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c53412ef23bf4b9cb828dce608e2c27b57ee0745;p=thirdparty%2Fkernel%2Fstable-queue.git

Drop khugepaged backports from older trees

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.14/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch b/queue-4.14/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
deleted file mode 100644
index d21dfccad03..00000000000
--- a/queue-4.14/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 165bce335b9ddb3d8c8d79c4977184bd34631720 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Dec 2022 18:16:02 +0100
-Subject: mm/khugepaged: fix GUP-fast interaction by sending IPI
-
-From: Jann Horn <jannh@google.com>
-
-commit 2ba99c5e08812494bc57f319fb562f527d9bacd8 upstream.
-
-Since commit 70cbc3cc78a99 ("mm: gup: fix the fast GUP race against THP
-collapse"), the lockless_pages_from_mm() fastpath rechecks the pmd_t to
-ensure that the page table was not removed by khugepaged in between.
-
-However, lockless_pages_from_mm() still requires that the page table is
-not concurrently freed.  Fix it by sending IPIs (if the architecture uses
-semi-RCU-style page table freeing) before freeing/reusing page tables.
-
-Link: https://lkml.kernel.org/r/20221129154730.2274278-2-jannh@google.com
-Link: https://lkml.kernel.org/r/20221128180252.1684965-2-jannh@google.com
-Link: https://lkml.kernel.org/r/20221125213714.4115729-2-jannh@google.com
-Fixes: ba76149f47d8 ("thp: khugepaged")
-Signed-off-by: Jann Horn <jannh@google.com>
-Reviewed-by: Yang Shi <shy828301@gmail.com>
-Acked-by: David Hildenbrand <david@redhat.com>
-Cc: John Hubbard <jhubbard@nvidia.com>
-Cc: Peter Xu <peterx@redhat.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-[manual backport: two of the three places in khugepaged that can free
-ptes were refactored into a common helper between 5.15 and 6.0;
-TLB flushing was refactored between 5.4 and 5.10;
-TLB flushing was refactored between 4.19 and 5.4;
-pmd collapse for PTE-mapped THP was only added in 5.4]
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/asm-generic/tlb.h | 6 ++++++
- mm/khugepaged.c           | 2 ++
- mm/memory.c               | 5 +++++
- 3 files changed, 13 insertions(+)
-
-diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
-index 5e7e4aaf36c5..43409a047480 100644
---- a/include/asm-generic/tlb.h
-+++ b/include/asm-generic/tlb.h
-@@ -60,6 +60,12 @@ struct mmu_table_batch {
- extern void tlb_table_flush(struct mmu_gather *tlb);
- extern void tlb_remove_table(struct mmu_gather *tlb, void *table);
- 
-+void tlb_remove_table_sync_one(void);
-+
-+#else
-+
-+static inline void tlb_remove_table_sync_one(void) { }
-+
- #endif
- 
- /*
-diff --git a/mm/khugepaged.c b/mm/khugepaged.c
-index f426d42d629d..f67c02010add 100644
---- a/mm/khugepaged.c
-+++ b/mm/khugepaged.c
-@@ -1046,6 +1046,7 @@ static void collapse_huge_page(struct mm_struct *mm,
- 	_pmd = pmdp_collapse_flush(vma, address, pmd);
- 	spin_unlock(pmd_ptl);
- 	mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
-+	tlb_remove_table_sync_one();
- 
- 	spin_lock(pte_ptl);
- 	isolated = __collapse_huge_page_isolate(vma, address, pte);
-@@ -1295,6 +1296,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
- 				_pmd = pmdp_collapse_flush(vma, addr, pmd);
- 				spin_unlock(ptl);
- 				atomic_long_dec(&mm->nr_ptes);
-+				tlb_remove_table_sync_one();
- 				pte_free(mm, pmd_pgtable(_pmd));
- 			}
- 			up_write(&mm->mmap_sem);
-diff --git a/mm/memory.c b/mm/memory.c
-index 615cb3fe763d..0136af15ba18 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -373,6 +373,11 @@ static void tlb_remove_table_smp_sync(void *arg)
- 	/* Simply deliver the interrupt */
- }
- 
-+void tlb_remove_table_sync_one(void)
-+{
-+	smp_call_function(tlb_remove_table_smp_sync, NULL, 1);
-+}
-+
- static void tlb_remove_table_one(void *table)
- {
- 	/*
--- 
-2.35.1
-
diff --git a/queue-4.14/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch b/queue-4.14/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
deleted file mode 100644
index 7763bdca649..00000000000
--- a/queue-4.14/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From ce9077a52b4724eecb73b6c1e7bc2a4d3c11b996 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Dec 2022 18:16:03 +0100
-Subject: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
-
-From: Jann Horn <jannh@google.com>
-
-commit f268f6cf875f3220afc77bdd0bf1bb136eb54db9 upstream.
-
-Any codepath that zaps page table entries must invoke MMU notifiers to
-ensure that secondary MMUs (like KVM) don't keep accessing pages which
-aren't mapped anymore.  Secondary MMUs don't hold their own references to
-pages that are mirrored over, so failing to notify them can lead to page
-use-after-free.
-
-I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
-("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
-the security impact of this only came in commit 27e1f8273113 ("khugepaged:
-enable collapse pmd for pte-mapped THP"), which actually omitted flushes
-for the removal of present PTEs, not just for the removal of empty page
-tables.
-
-Link: https://lkml.kernel.org/r/20221129154730.2274278-3-jannh@google.com
-Link: https://lkml.kernel.org/r/20221128180252.1684965-3-jannh@google.com
-Link: https://lkml.kernel.org/r/20221125213714.4115729-3-jannh@google.com
-Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
-Signed-off-by: Jann Horn <jannh@google.com>
-Acked-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Yang Shi <shy828301@gmail.com>
-Cc: John Hubbard <jhubbard@nvidia.com>
-Cc: Peter Xu <peterx@redhat.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-[manual backport: this code was refactored from two copies into a common
-helper between 5.15 and 6.0;
-pmd collapse for PTE-mapped THP was only added in 5.4;
-MMU notifier API changed between 4.19 and 5.4]
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- mm/khugepaged.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/mm/khugepaged.c b/mm/khugepaged.c
-index f67c02010add..7ad88b9e5a65 100644
---- a/mm/khugepaged.c
-+++ b/mm/khugepaged.c
-@@ -1291,13 +1291,20 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
- 		 */
- 		if (down_write_trylock(&mm->mmap_sem)) {
- 			if (!khugepaged_test_exit(mm)) {
--				spinlock_t *ptl = pmd_lock(mm, pmd);
-+				spinlock_t *ptl;
-+				unsigned long end = addr + HPAGE_PMD_SIZE;
-+
-+				mmu_notifier_invalidate_range_start(mm, addr,
-+								    end);
-+				ptl = pmd_lock(mm, pmd);
- 				/* assume page table is clear */
- 				_pmd = pmdp_collapse_flush(vma, addr, pmd);
- 				spin_unlock(ptl);
- 				atomic_long_dec(&mm->nr_ptes);
- 				tlb_remove_table_sync_one();
- 				pte_free(mm, pmd_pgtable(_pmd));
-+				mmu_notifier_invalidate_range_end(mm, addr,
-+								  end);
- 			}
- 			up_write(&mm->mmap_sem);
- 		}
--- 
-2.35.1
-
diff --git a/queue-4.14/series b/queue-4.14/series
index 5a77e120baf..682e41af9eb 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -7,8 +7,6 @@ alsa-seq-fix-function-prototype-mismatch-in-snd_seq_.patch
 asoc-soc-pcm-add-null-check-in-be-reparenting.patch
 regulator-twl6030-fix-get-status-of-twl6032-regulato.patch
 net-usb-qmi_wwan-add-u-blox-0x1342-composition.patch
-mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
-mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
 xen-netback-ensure-protocol-headers-don-t-fall-in-th.patch
 xen-netback-do-some-code-cleanup.patch
 xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch
diff --git a/queue-4.19/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch b/queue-4.19/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
deleted file mode 100644
index 88fee3087e5..00000000000
--- a/queue-4.19/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 3632d00b16cd354d851feb70d7d8198d8e1f21ce Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Dec 2022 18:16:07 +0100
-Subject: mm/khugepaged: fix GUP-fast interaction by sending IPI
-
-From: Jann Horn <jannh@google.com>
-
-commit 2ba99c5e08812494bc57f319fb562f527d9bacd8 upstream.
-
-Since commit 70cbc3cc78a99 ("mm: gup: fix the fast GUP race against THP
-collapse"), the lockless_pages_from_mm() fastpath rechecks the pmd_t to
-ensure that the page table was not removed by khugepaged in between.
-
-However, lockless_pages_from_mm() still requires that the page table is
-not concurrently freed.  Fix it by sending IPIs (if the architecture uses
-semi-RCU-style page table freeing) before freeing/reusing page tables.
-
-Link: https://lkml.kernel.org/r/20221129154730.2274278-2-jannh@google.com
-Link: https://lkml.kernel.org/r/20221128180252.1684965-2-jannh@google.com
-Link: https://lkml.kernel.org/r/20221125213714.4115729-2-jannh@google.com
-Fixes: ba76149f47d8 ("thp: khugepaged")
-Signed-off-by: Jann Horn <jannh@google.com>
-Reviewed-by: Yang Shi <shy828301@gmail.com>
-Acked-by: David Hildenbrand <david@redhat.com>
-Cc: John Hubbard <jhubbard@nvidia.com>
-Cc: Peter Xu <peterx@redhat.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-[manual backport: two of the three places in khugepaged that can free
-ptes were refactored into a common helper between 5.15 and 6.0;
-TLB flushing was refactored between 5.4 and 5.10;
-TLB flushing was refactored between 4.19 and 5.4;
-pmd collapse for PTE-mapped THP was only added in 5.4]
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/asm-generic/tlb.h | 6 ++++++
- mm/khugepaged.c           | 2 ++
- mm/memory.c               | 5 +++++
- 3 files changed, 13 insertions(+)
-
-diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
-index db72ad39853b..737f5cb0dc84 100644
---- a/include/asm-generic/tlb.h
-+++ b/include/asm-generic/tlb.h
-@@ -61,6 +61,12 @@ struct mmu_table_batch {
- extern void tlb_table_flush(struct mmu_gather *tlb);
- extern void tlb_remove_table(struct mmu_gather *tlb, void *table);
- 
-+void tlb_remove_table_sync_one(void);
-+
-+#else
-+
-+static inline void tlb_remove_table_sync_one(void) { }
-+
- #endif
- 
- /*
-diff --git a/mm/khugepaged.c b/mm/khugepaged.c
-index 5dd14ef2e1de..561660966435 100644
---- a/mm/khugepaged.c
-+++ b/mm/khugepaged.c
-@@ -1045,6 +1045,7 @@ static void collapse_huge_page(struct mm_struct *mm,
- 	_pmd = pmdp_collapse_flush(vma, address, pmd);
- 	spin_unlock(pmd_ptl);
- 	mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
-+	tlb_remove_table_sync_one();
- 
- 	spin_lock(pte_ptl);
- 	isolated = __collapse_huge_page_isolate(vma, address, pte);
-@@ -1294,6 +1295,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
- 				_pmd = pmdp_collapse_flush(vma, addr, pmd);
- 				spin_unlock(ptl);
- 				mm_dec_nr_ptes(mm);
-+				tlb_remove_table_sync_one();
- 				pte_free(mm, pmd_pgtable(_pmd));
- 			}
- 			up_write(&mm->mmap_sem);
-diff --git a/mm/memory.c b/mm/memory.c
-index 800834cff4e6..b80ce6b3c8f4 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -362,6 +362,11 @@ static void tlb_remove_table_smp_sync(void *arg)
- 	/* Simply deliver the interrupt */
- }
- 
-+void tlb_remove_table_sync_one(void)
-+{
-+	smp_call_function(tlb_remove_table_smp_sync, NULL, 1);
-+}
-+
- static void tlb_remove_table_one(void *table)
- {
- 	/*
--- 
-2.35.1
-
diff --git a/queue-4.19/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch b/queue-4.19/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
deleted file mode 100644
index 6ec0a1ee1d5..00000000000
--- a/queue-4.19/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From ce8cd48d81d003fb25e67bdcf6b20b1144fa7e6b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Dec 2022 18:16:08 +0100
-Subject: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
-
-From: Jann Horn <jannh@google.com>
-
-commit f268f6cf875f3220afc77bdd0bf1bb136eb54db9 upstream.
-
-Any codepath that zaps page table entries must invoke MMU notifiers to
-ensure that secondary MMUs (like KVM) don't keep accessing pages which
-aren't mapped anymore.  Secondary MMUs don't hold their own references to
-pages that are mirrored over, so failing to notify them can lead to page
-use-after-free.
-
-I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
-("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
-the security impact of this only came in commit 27e1f8273113 ("khugepaged:
-enable collapse pmd for pte-mapped THP"), which actually omitted flushes
-for the removal of present PTEs, not just for the removal of empty page
-tables.
-
-Link: https://lkml.kernel.org/r/20221129154730.2274278-3-jannh@google.com
-Link: https://lkml.kernel.org/r/20221128180252.1684965-3-jannh@google.com
-Link: https://lkml.kernel.org/r/20221125213714.4115729-3-jannh@google.com
-Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
-Signed-off-by: Jann Horn <jannh@google.com>
-Acked-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Yang Shi <shy828301@gmail.com>
-Cc: John Hubbard <jhubbard@nvidia.com>
-Cc: Peter Xu <peterx@redhat.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-[manual backport: this code was refactored from two copies into a common
-helper between 5.15 and 6.0;
-pmd collapse for PTE-mapped THP was only added in 5.4;
-MMU notifier API changed between 4.19 and 5.4]
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- mm/khugepaged.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/mm/khugepaged.c b/mm/khugepaged.c
-index 561660966435..b1fed0d2439b 100644
---- a/mm/khugepaged.c
-+++ b/mm/khugepaged.c
-@@ -1290,13 +1290,20 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
- 		 */
- 		if (down_write_trylock(&mm->mmap_sem)) {
- 			if (!khugepaged_test_exit(mm)) {
--				spinlock_t *ptl = pmd_lock(mm, pmd);
-+				spinlock_t *ptl;
-+				unsigned long end = addr + HPAGE_PMD_SIZE;
-+
-+				mmu_notifier_invalidate_range_start(mm, addr,
-+								    end);
-+				ptl = pmd_lock(mm, pmd);
- 				/* assume page table is clear */
- 				_pmd = pmdp_collapse_flush(vma, addr, pmd);
- 				spin_unlock(ptl);
- 				mm_dec_nr_ptes(mm);
- 				tlb_remove_table_sync_one();
- 				pte_free(mm, pmd_pgtable(_pmd));
-+				mmu_notifier_invalidate_range_end(mm, addr,
-+								  end);
- 			}
- 			up_write(&mm->mmap_sem);
- 		}
--- 
-2.35.1
-
diff --git a/queue-4.19/series b/queue-4.19/series
index 3489f792493..a59970fbfd3 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -10,8 +10,6 @@ regulator-twl6030-fix-get-status-of-twl6032-regulato.patch
 fbcon-use-kzalloc-in-fbcon_prepare_logo.patch
 9p-xen-check-logical-size-for-buffer-size.patch
 net-usb-qmi_wwan-add-u-blox-0x1342-composition.patch
-mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
-mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
 xen-netback-ensure-protocol-headers-don-t-fall-in-th.patch
 xen-netback-do-some-code-cleanup.patch
 xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch
diff --git a/queue-4.9/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch b/queue-4.9/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
deleted file mode 100644
index 1d85fa00886..00000000000
--- a/queue-4.9/mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 18272dc2c996b123561f4cde7900aeee19d295f8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Dec 2022 18:16:02 +0100
-Subject: mm/khugepaged: fix GUP-fast interaction by sending IPI
-
-From: Jann Horn <jannh@google.com>
-
-commit 2ba99c5e08812494bc57f319fb562f527d9bacd8 upstream.
-
-Since commit 70cbc3cc78a99 ("mm: gup: fix the fast GUP race against THP
-collapse"), the lockless_pages_from_mm() fastpath rechecks the pmd_t to
-ensure that the page table was not removed by khugepaged in between.
-
-However, lockless_pages_from_mm() still requires that the page table is
-not concurrently freed.  Fix it by sending IPIs (if the architecture uses
-semi-RCU-style page table freeing) before freeing/reusing page tables.
-
-Link: https://lkml.kernel.org/r/20221129154730.2274278-2-jannh@google.com
-Link: https://lkml.kernel.org/r/20221128180252.1684965-2-jannh@google.com
-Link: https://lkml.kernel.org/r/20221125213714.4115729-2-jannh@google.com
-Fixes: ba76149f47d8 ("thp: khugepaged")
-Signed-off-by: Jann Horn <jannh@google.com>
-Reviewed-by: Yang Shi <shy828301@gmail.com>
-Acked-by: David Hildenbrand <david@redhat.com>
-Cc: John Hubbard <jhubbard@nvidia.com>
-Cc: Peter Xu <peterx@redhat.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-[manual backport: two of the three places in khugepaged that can free
-ptes were refactored into a common helper between 5.15 and 6.0;
-TLB flushing was refactored between 5.4 and 5.10;
-TLB flushing was refactored between 4.19 and 5.4;
-pmd collapse for PTE-mapped THP was only added in 5.4]
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/asm-generic/tlb.h | 6 ++++++
- mm/khugepaged.c           | 2 ++
- mm/memory.c               | 5 +++++
- 3 files changed, 13 insertions(+)
-
-diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
-index e9851100c0f7..4b1c142be08c 100644
---- a/include/asm-generic/tlb.h
-+++ b/include/asm-generic/tlb.h
-@@ -60,6 +60,12 @@ struct mmu_table_batch {
- extern void tlb_table_flush(struct mmu_gather *tlb);
- extern void tlb_remove_table(struct mmu_gather *tlb, void *table);
- 
-+void tlb_remove_table_sync_one(void);
-+
-+#else
-+
-+static inline void tlb_remove_table_sync_one(void) { }
-+
- #endif
- 
- /*
-diff --git a/mm/khugepaged.c b/mm/khugepaged.c
-index 0f1bdbae45e2..fef0fdc0a981 100644
---- a/mm/khugepaged.c
-+++ b/mm/khugepaged.c
-@@ -1044,6 +1044,7 @@ static void collapse_huge_page(struct mm_struct *mm,
- 	_pmd = pmdp_collapse_flush(vma, address, pmd);
- 	spin_unlock(pmd_ptl);
- 	mmu_notifier_invalidate_range_end(mm, mmun_start, mmun_end);
-+	tlb_remove_table_sync_one();
- 
- 	spin_lock(pte_ptl);
- 	isolated = __collapse_huge_page_isolate(vma, address, pte);
-@@ -1293,6 +1294,7 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
- 				_pmd = pmdp_collapse_flush(vma, addr, pmd);
- 				spin_unlock(ptl);
- 				atomic_long_dec(&mm->nr_ptes);
-+				tlb_remove_table_sync_one();
- 				pte_free(mm, pmd_pgtable(_pmd));
- 			}
- 			up_write(&mm->mmap_sem);
-diff --git a/mm/memory.c b/mm/memory.c
-index 36d46e19df96..a93ea671b8f1 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -349,6 +349,11 @@ static void tlb_remove_table_smp_sync(void *arg)
- 	/* Simply deliver the interrupt */
- }
- 
-+void tlb_remove_table_sync_one(void)
-+{
-+	smp_call_function(tlb_remove_table_smp_sync, NULL, 1);
-+}
-+
- static void tlb_remove_table_one(void *table)
- {
- 	/*
--- 
-2.35.1
-
diff --git a/queue-4.9/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch b/queue-4.9/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
deleted file mode 100644
index 45d0109791a..00000000000
--- a/queue-4.9/mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 6c97a51d5330c6cac5eebb07a19952dd38c698d8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 6 Dec 2022 18:16:03 +0100
-Subject: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
-
-From: Jann Horn <jannh@google.com>
-
-commit f268f6cf875f3220afc77bdd0bf1bb136eb54db9 upstream.
-
-Any codepath that zaps page table entries must invoke MMU notifiers to
-ensure that secondary MMUs (like KVM) don't keep accessing pages which
-aren't mapped anymore.  Secondary MMUs don't hold their own references to
-pages that are mirrored over, so failing to notify them can lead to page
-use-after-free.
-
-I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
-("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
-the security impact of this only came in commit 27e1f8273113 ("khugepaged:
-enable collapse pmd for pte-mapped THP"), which actually omitted flushes
-for the removal of present PTEs, not just for the removal of empty page
-tables.
-
-Link: https://lkml.kernel.org/r/20221129154730.2274278-3-jannh@google.com
-Link: https://lkml.kernel.org/r/20221128180252.1684965-3-jannh@google.com
-Link: https://lkml.kernel.org/r/20221125213714.4115729-3-jannh@google.com
-Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
-Signed-off-by: Jann Horn <jannh@google.com>
-Acked-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Yang Shi <shy828301@gmail.com>
-Cc: John Hubbard <jhubbard@nvidia.com>
-Cc: Peter Xu <peterx@redhat.com>
-Cc: <stable@vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-[manual backport: this code was refactored from two copies into a common
-helper between 5.15 and 6.0;
-pmd collapse for PTE-mapped THP was only added in 5.4;
-MMU notifier API changed between 4.19 and 5.4]
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- mm/khugepaged.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/mm/khugepaged.c b/mm/khugepaged.c
-index fef0fdc0a981..8c30d2086800 100644
---- a/mm/khugepaged.c
-+++ b/mm/khugepaged.c
-@@ -1289,13 +1289,20 @@ static void retract_page_tables(struct address_space *mapping, pgoff_t pgoff)
- 		 */
- 		if (down_write_trylock(&mm->mmap_sem)) {
- 			if (!khugepaged_test_exit(mm)) {
--				spinlock_t *ptl = pmd_lock(mm, pmd);
-+				spinlock_t *ptl;
-+				unsigned long end = addr + HPAGE_PMD_SIZE;
-+
-+				mmu_notifier_invalidate_range_start(mm, addr,
-+								    end);
-+				ptl = pmd_lock(mm, pmd);
- 				/* assume page table is clear */
- 				_pmd = pmdp_collapse_flush(vma, addr, pmd);
- 				spin_unlock(ptl);
- 				atomic_long_dec(&mm->nr_ptes);
- 				tlb_remove_table_sync_one();
- 				pte_free(mm, pmd_pgtable(_pmd));
-+				mmu_notifier_invalidate_range_end(mm, addr,
-+								  end);
- 			}
- 			up_write(&mm->mmap_sem);
- 		}
--- 
-2.35.1
-
diff --git a/queue-4.9/series b/queue-4.9/series
index c52b07f4ce8..ad5dcd2ef2b 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -3,8 +3,6 @@ arm-dts-rockchip-fix-ir-receiver-node-names.patch
 arm-9251-1-perf-fix-stacktraces-for-tracepoint-event.patch
 alsa-seq-fix-function-prototype-mismatch-in-snd_seq_.patch
 asoc-soc-pcm-add-null-check-in-be-reparenting.patch
-mm-khugepaged-fix-gup-fast-interaction-by-sending-ip.patch
-mm-khugepaged-invoke-mmu-notifiers-in-shmem-file-col.patch
 xen-netback-ensure-protocol-headers-don-t-fall-in-th.patch
 xen-netback-do-some-code-cleanup.patch
 xen-netback-don-t-call-kfree_skb-with-interrupts-dis.patch