From 46d3b288e1b957c4803a2f6cb95a9bd74adf50ad Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 1 Jan 2020 19:11:25 +0100 Subject: [PATCH] drop hmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch from everywhere --- queue-4.14/series | 1 - ...n-shmem_fault-if-mmap_sem-is-dropped.patch | 88 ------------------- queue-4.19/series | 1 - ...n-shmem_fault-if-mmap_sem-is-dropped.patch | 88 ------------------- queue-4.9/series | 1 - ...n-shmem_fault-if-mmap_sem-is-dropped.patch | 88 ------------------- queue-5.4/series | 1 - ...n-shmem_fault-if-mmap_sem-is-dropped.patch | 88 ------------------- 8 files changed, 356 deletions(-) delete mode 100644 queue-4.14/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch delete mode 100644 queue-4.19/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch delete mode 100644 queue-4.9/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch delete mode 100644 queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch diff --git a/queue-4.14/series b/queue-4.14/series index ca79c2da890..906ae54096c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -68,4 +68,3 @@ inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch net-add-a-read_once-in-skb_peek_tail.patch net-icmp-fix-data-race-in-cmp_global_allow.patch hrtimer-annotate-lockless-access-to-timer-state.patch -shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch diff --git a/queue-4.14/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-4.14/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch deleted file mode 100644 index 2c7c5f9d148..00000000000 --- a/queue-4.14/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001 -From: "Kirill A. Shutemov" -Date: Sat, 30 Nov 2019 17:50:26 -0800 -Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped - -From: Kirill A. Shutemov - -commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream. - -syzbot found the following crash: - - BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173 - - CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146 - Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - Call Trace: - perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - trace_lock_acquire include/trace/events/lock.h:13 [inline] - lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411 - __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] - _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 - spin_lock include/linux/spinlock.h:338 [inline] - shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034 - __do_fault+0x111/0x540 mm/memory.c:3083 - do_shared_fault mm/memory.c:3535 [inline] - do_fault mm/memory.c:3613 [inline] - handle_pte_fault mm/memory.c:3840 [inline] - __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964 - handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001 - do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] - __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506 - do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530 - page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 - -It happens if the VMA got unmapped under us while we dropped mmap_sem -and inode got freed. - -Pinning the file if we drop mmap_sem fixes the issue. - -Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box -Signed-off-by: Kirill A. Shutemov -Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com -Acked-by: Johannes Weiner -Reviewed-by: Matthew Wilcox (Oracle) -Cc: Hillf Danton -Cc: Hugh Dickins -Cc: Josef Bacik -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - mm/shmem.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -1969,16 +1969,14 @@ static int shmem_fault(struct vm_fault * - shmem_falloc->waitq && - vmf->pgoff >= shmem_falloc->start && - vmf->pgoff < shmem_falloc->next) { -+ struct file *fpin; - wait_queue_head_t *shmem_falloc_waitq; - DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function); - - ret = VM_FAULT_NOPAGE; -- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -- /* It's polite to up mmap_sem if we can */ -- up_read(&vma->vm_mm->mmap_sem); -+ fpin = maybe_unlock_mmap_for_io(vmf, NULL); -+ if (fpin) - ret = VM_FAULT_RETRY; -- } - - shmem_falloc_waitq = shmem_falloc->waitq; - prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, -@@ -1996,6 +1994,9 @@ static int shmem_fault(struct vm_fault * - spin_lock(&inode->i_lock); - finish_wait(shmem_falloc_waitq, &shmem_fault_wait); - spin_unlock(&inode->i_lock); -+ -+ if (fpin) -+ fput(fpin); - return ret; - } - spin_unlock(&inode->i_lock); diff --git a/queue-4.19/series b/queue-4.19/series index 1a0c6ebef8f..158fc8beea8 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -87,4 +87,3 @@ inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch net-add-a-read_once-in-skb_peek_tail.patch net-icmp-fix-data-race-in-cmp_global_allow.patch hrtimer-annotate-lockless-access-to-timer-state.patch -shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch diff --git a/queue-4.19/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-4.19/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch deleted file mode 100644 index 06a3c1d5f37..00000000000 --- a/queue-4.19/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001 -From: "Kirill A. Shutemov" -Date: Sat, 30 Nov 2019 17:50:26 -0800 -Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped - -From: Kirill A. Shutemov - -commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream. - -syzbot found the following crash: - - BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173 - - CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146 - Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - Call Trace: - perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - trace_lock_acquire include/trace/events/lock.h:13 [inline] - lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411 - __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] - _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 - spin_lock include/linux/spinlock.h:338 [inline] - shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034 - __do_fault+0x111/0x540 mm/memory.c:3083 - do_shared_fault mm/memory.c:3535 [inline] - do_fault mm/memory.c:3613 [inline] - handle_pte_fault mm/memory.c:3840 [inline] - __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964 - handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001 - do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] - __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506 - do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530 - page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 - -It happens if the VMA got unmapped under us while we dropped mmap_sem -and inode got freed. - -Pinning the file if we drop mmap_sem fixes the issue. - -Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box -Signed-off-by: Kirill A. Shutemov -Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com -Acked-by: Johannes Weiner -Reviewed-by: Matthew Wilcox (Oracle) -Cc: Hillf Danton -Cc: Hugh Dickins -Cc: Josef Bacik -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - mm/shmem.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -1989,16 +1989,14 @@ static vm_fault_t shmem_fault(struct vm_ - shmem_falloc->waitq && - vmf->pgoff >= shmem_falloc->start && - vmf->pgoff < shmem_falloc->next) { -+ struct file *fpin; - wait_queue_head_t *shmem_falloc_waitq; - DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function); - - ret = VM_FAULT_NOPAGE; -- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -- /* It's polite to up mmap_sem if we can */ -- up_read(&vma->vm_mm->mmap_sem); -+ fpin = maybe_unlock_mmap_for_io(vmf, NULL); -+ if (fpin) - ret = VM_FAULT_RETRY; -- } - - shmem_falloc_waitq = shmem_falloc->waitq; - prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, -@@ -2016,6 +2014,9 @@ static vm_fault_t shmem_fault(struct vm_ - spin_lock(&inode->i_lock); - finish_wait(shmem_falloc_waitq, &shmem_fault_wait); - spin_unlock(&inode->i_lock); -+ -+ if (fpin) -+ fput(fpin); - return ret; - } - spin_unlock(&inode->i_lock); diff --git a/queue-4.9/series b/queue-4.9/series index 3807579462a..7bb3e783516 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -160,4 +160,3 @@ netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch net-icmp-fix-data-race-in-cmp_global_allow.patch hrtimer-annotate-lockless-access-to-timer-state.patch -shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch diff --git a/queue-4.9/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-4.9/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch deleted file mode 100644 index ca3440d4190..00000000000 --- a/queue-4.9/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001 -From: "Kirill A. Shutemov" -Date: Sat, 30 Nov 2019 17:50:26 -0800 -Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped - -From: Kirill A. Shutemov - -commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream. - -syzbot found the following crash: - - BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173 - - CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146 - Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - Call Trace: - perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - trace_lock_acquire include/trace/events/lock.h:13 [inline] - lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411 - __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] - _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 - spin_lock include/linux/spinlock.h:338 [inline] - shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034 - __do_fault+0x111/0x540 mm/memory.c:3083 - do_shared_fault mm/memory.c:3535 [inline] - do_fault mm/memory.c:3613 [inline] - handle_pte_fault mm/memory.c:3840 [inline] - __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964 - handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001 - do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] - __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506 - do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530 - page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 - -It happens if the VMA got unmapped under us while we dropped mmap_sem -and inode got freed. - -Pinning the file if we drop mmap_sem fixes the issue. - -Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box -Signed-off-by: Kirill A. Shutemov -Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com -Acked-by: Johannes Weiner -Reviewed-by: Matthew Wilcox (Oracle) -Cc: Hillf Danton -Cc: Hugh Dickins -Cc: Josef Bacik -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - mm/shmem.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -1925,16 +1925,14 @@ static int shmem_fault(struct vm_area_st - shmem_falloc->waitq && - vmf->pgoff >= shmem_falloc->start && - vmf->pgoff < shmem_falloc->next) { -+ struct file *fpin; - wait_queue_head_t *shmem_falloc_waitq; - DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function); - - ret = VM_FAULT_NOPAGE; -- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -- /* It's polite to up mmap_sem if we can */ -- up_read(&vma->vm_mm->mmap_sem); -+ fpin = maybe_unlock_mmap_for_io(vmf, NULL); -+ if (fpin) - ret = VM_FAULT_RETRY; -- } - - shmem_falloc_waitq = shmem_falloc->waitq; - prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, -@@ -1952,6 +1950,9 @@ static int shmem_fault(struct vm_area_st - spin_lock(&inode->i_lock); - finish_wait(shmem_falloc_waitq, &shmem_fault_wait); - spin_unlock(&inode->i_lock); -+ -+ if (fpin) -+ fput(fpin); - return ret; - } - spin_unlock(&inode->i_lock); diff --git a/queue-5.4/series b/queue-5.4/series index 8f78bd77a6e..9489293098c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -145,4 +145,3 @@ tomoyo-don-t-use-nifty-names-on-sockets.patch uaccess-disallow-int_max-copy-sizes.patch drm-limit-to-int_max-in-create_blob-ioctl.patch xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch -shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch diff --git a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch deleted file mode 100644 index 5c3a7fd2132..00000000000 --- a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001 -From: "Kirill A. Shutemov" -Date: Sat, 30 Nov 2019 17:50:26 -0800 -Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped - -From: Kirill A. Shutemov - -commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream. - -syzbot found the following crash: - - BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173 - - CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146 - Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 - Call Trace: - perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13 - trace_lock_acquire include/trace/events/lock.h:13 [inline] - lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411 - __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] - _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 - spin_lock include/linux/spinlock.h:338 [inline] - shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034 - __do_fault+0x111/0x540 mm/memory.c:3083 - do_shared_fault mm/memory.c:3535 [inline] - do_fault mm/memory.c:3613 [inline] - handle_pte_fault mm/memory.c:3840 [inline] - __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964 - handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001 - do_user_addr_fault arch/x86/mm/fault.c:1441 [inline] - __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506 - do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530 - page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202 - -It happens if the VMA got unmapped under us while we dropped mmap_sem -and inode got freed. - -Pinning the file if we drop mmap_sem fixes the issue. - -Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box -Signed-off-by: Kirill A. Shutemov -Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com -Acked-by: Johannes Weiner -Reviewed-by: Matthew Wilcox (Oracle) -Cc: Hillf Danton -Cc: Hugh Dickins -Cc: Josef Bacik -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - mm/shmem.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - ---- a/mm/shmem.c -+++ b/mm/shmem.c -@@ -2022,16 +2022,14 @@ static vm_fault_t shmem_fault(struct vm_ - shmem_falloc->waitq && - vmf->pgoff >= shmem_falloc->start && - vmf->pgoff < shmem_falloc->next) { -+ struct file *fpin; - wait_queue_head_t *shmem_falloc_waitq; - DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function); - - ret = VM_FAULT_NOPAGE; -- if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) && -- !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) { -- /* It's polite to up mmap_sem if we can */ -- up_read(&vma->vm_mm->mmap_sem); -+ fpin = maybe_unlock_mmap_for_io(vmf, NULL); -+ if (fpin) - ret = VM_FAULT_RETRY; -- } - - shmem_falloc_waitq = shmem_falloc->waitq; - prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait, -@@ -2049,6 +2047,9 @@ static vm_fault_t shmem_fault(struct vm_ - spin_lock(&inode->i_lock); - finish_wait(shmem_falloc_waitq, &shmem_fault_wait); - spin_unlock(&inode->i_lock); -+ -+ if (fpin) -+ fput(fpin); - return ret; - } - spin_unlock(&inode->i_lock); -- 2.47.3