From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 4 Jun 2025 12:59:20 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.12.33~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c901cb2b727958ddfa0c1ac54699861ea10b2c49;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch
	series
---

diff --git a/queue-6.1/mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch b/queue-6.1/mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch
new file mode 100644
index 0000000000..038f7f6e86
--- /dev/null
+++ b/queue-6.1/mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch
@@ -0,0 +1,96 @@
+From 270aa010620697fb27b8f892cc4e194bc2b7d134 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Wed, 17 May 2023 15:09:15 -0400
+Subject: mm/uffd: fix vma operation where start addr cuts part of vma
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 270aa010620697fb27b8f892cc4e194bc2b7d134 upstream.
+
+Patch series "mm/uffd: Fix vma merge/split", v2.
+
+This series contains two patches that fix vma merge/split for userfaultfd
+on two separate issues.
+
+Patch 1 fixes a regression since 6.1+ due to something we overlooked when
+converting to maple tree apis.  The plan is we use patch 1 to replace the
+commit "2f628010799e (mm: userfaultfd: avoid passing an invalid range to
+vma_merge())" in mm-hostfixes-unstable tree if possible, so as to bring
+uffd vma operations back aligned with the rest code again.
+
+Patch 2 fixes a long standing issue that vma can be left unmerged even if
+we can for either uffd register or unregister.
+
+Many thanks to Lorenzo on either noticing this issue from the assert
+movement patch, looking at this problem, and also provided a reproducer on
+the unmerged vma issue [1].
+
+[1] https://gist.github.com/lorenzo-stoakes/a11a10f5f479e7a977fc456331266e0e
+
+
+This patch (of 2):
+
+It seems vma merging with uffd paths is broken with either
+register/unregister, where right now we can feed wrong parameters to
+vma_merge() and it's found by recent patch which moved asserts upwards in
+vma_merge() by Lorenzo Stoakes:
+
+https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
+
+It's possible that "start" is contained within vma but not clamped to its
+start.  We need to convert this into either "cannot merge" case or "can
+merge" case 4 which permits subdivision of prev by assigning vma to prev.
+As we loop, each subsequent VMA will be clamped to the start.
+
+This patch will eliminate the report and make sure vma_merge() calls will
+become legal again.
+
+One thing to mention is that the "Fixes: 29417d292bd0" below is there only
+to help explain where the warning can start to trigger, the real commit to
+fix should be 69dbe6daf104.  Commit 29417d292bd0 helps us to identify the
+issue, but unfortunately we may want to keep it in Fixes too just to ease
+kernel backporters for easier tracking.
+
+Link: https://lkml.kernel.org/r/20230517190916.3429499-1-peterx@redhat.com
+Link: https://lkml.kernel.org/r/20230517190916.3429499-2-peterx@redhat.com
+Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs")
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Cc: Mike Rapoport (IBM) <rppt@kernel.org>
+Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[acsjakub: contextual change - keep call to mas_next()]
+Cc: <linux-mm@kvack.org>
+Signed-off-by: Jakub Acs <acsjakub@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/userfaultfd.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/userfaultfd.c
++++ b/fs/userfaultfd.c
+@@ -1426,6 +1426,9 @@ static int userfaultfd_register(struct u
+ 	if (prev != vma)
+ 		mas_next(&mas, ULONG_MAX);
+ 
++	if (vma->vm_start < start)
++		prev = vma;
++
+ 	ret = 0;
+ 	do {
+ 		cond_resched();
+@@ -1603,6 +1606,9 @@ static int userfaultfd_unregister(struct
+ 	if (prev != vma)
+ 		mas_next(&mas, ULONG_MAX);
+ 
++	if (vma->vm_start < start)
++		prev = vma;
++
+ 	ret = 0;
+ 	do {
+ 		cond_resched();
diff --git a/queue-6.1/series b/queue-6.1/series
new file mode 100644
index 0000000000..ab5c3679ba
--- /dev/null
+++ b/queue-6.1/series
@@ -0,0 +1 @@
+mm-uffd-fix-vma-operation-where-start-addr-cuts-part-of-vma.patch