From 4aa4f3e1944be399538049e405d6ea7285abf9db Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 2 Oct 2022 12:28:44 +0200 Subject: [PATCH] 5.4-stable patches added patches: mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch mm-migrate_device.c-flush-tlb-while-holding-ptl.patch --- ..._pageout-mishandling-on-non-lru-page.patch | 55 ++++++++++++++ ...device.c-flush-tlb-while-holding-ptl.patch | 74 +++++++++++++++++++ queue-5.4/series | 2 + 3 files changed, 131 insertions(+) create mode 100644 queue-5.4/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch create mode 100644 queue-5.4/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch diff --git a/queue-5.4/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch b/queue-5.4/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch new file mode 100644 index 00000000000..1dcdf75173a --- /dev/null +++ b/queue-5.4/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch @@ -0,0 +1,55 @@ +From 58d426a7ba92870d489686dfdb9d06b66815a2ab Mon Sep 17 00:00:00 2001 +From: Minchan Kim +Date: Thu, 8 Sep 2022 08:12:04 -0700 +Subject: mm: fix madivse_pageout mishandling on non-LRU page +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minchan Kim + +commit 58d426a7ba92870d489686dfdb9d06b66815a2ab upstream. + +MADV_PAGEOUT tries to isolate non-LRU pages and gets a warning from +isolate_lru_page below. + +Fix it by checking PageLRU in advance. + +------------[ cut here ]------------ +trying to isolate tail page +WARNING: CPU: 0 PID: 6175 at mm/folio-compat.c:158 isolate_lru_page+0x130/0x140 +Modules linked in: +CPU: 0 PID: 6175 Comm: syz-executor.0 Not tainted 5.18.12 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:isolate_lru_page+0x130/0x140 + +Link: https://lore.kernel.org/linux-mm/485f8c33.2471b.182d5726afb.Coremail.hantianshuo@iie.ac.cn/ +Link: https://lkml.kernel.org/r/20220908151204.762596-1-minchan@kernel.org +Fixes: 1a4e58cce84e ("mm: introduce MADV_PAGEOUT") +Signed-off-by: Minchan Kim +Reported-by: 韩天ç`• +Suggested-by: Yang Shi +Acked-by: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/madvise.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -428,8 +428,11 @@ regular_page: + continue; + } + +- /* Do not interfere with other mappings of this page */ +- if (page_mapcount(page) != 1) ++ /* ++ * Do not interfere with other mappings of this page and ++ * non-LRU page. ++ */ ++ if (!PageLRU(page) || page_mapcount(page) != 1) + continue; + + VM_BUG_ON_PAGE(PageTransCompound(page), page); diff --git a/queue-5.4/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch b/queue-5.4/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch new file mode 100644 index 00000000000..f89fa69a06e --- /dev/null +++ b/queue-5.4/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch @@ -0,0 +1,74 @@ +From 60bae73708963de4a17231077285bd9ff2f41c44 Mon Sep 17 00:00:00 2001 +From: Alistair Popple +Date: Fri, 2 Sep 2022 10:35:51 +1000 +Subject: mm/migrate_device.c: flush TLB while holding PTL + +From: Alistair Popple + +commit 60bae73708963de4a17231077285bd9ff2f41c44 upstream. + +When clearing a PTE the TLB should be flushed whilst still holding the PTL +to avoid a potential race with madvise/munmap/etc. For example consider +the following sequence: + + CPU0 CPU1 + ---- ---- + + migrate_vma_collect_pmd() + pte_unmap_unlock() + madvise(MADV_DONTNEED) + -> zap_pte_range() + pte_offset_map_lock() + [ PTE not present, TLB not flushed ] + pte_unmap_unlock() + [ page is still accessible via stale TLB ] + flush_tlb_range() + +In this case the page may still be accessed via the stale TLB entry after +madvise returns. Fix this by flushing the TLB while holding the PTL. + +Fixes: 8c3328f1f36a ("mm/migrate: migrate_vma() unmap page from vma while collecting pages") +Link: https://lkml.kernel.org/r/9f801e9d8d830408f2ca27821f606e09aa856899.1662078528.git-series.apopple@nvidia.com +Signed-off-by: Alistair Popple +Reported-by: Nadav Amit +Reviewed-by: "Huang, Ying" +Acked-by: David Hildenbrand +Acked-by: Peter Xu +Cc: Alex Sierra +Cc: Ben Skeggs +Cc: Felix Kuehling +Cc: huang ying +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: Karol Herbst +Cc: Logan Gunthorpe +Cc: Lyude Paul +Cc: Matthew Wilcox +Cc: Paul Mackerras +Cc: Ralph Campbell +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -2343,13 +2343,14 @@ next: + migrate->dst[migrate->npages] = 0; + migrate->src[migrate->npages++] = mpfn; + } +- arch_leave_lazy_mmu_mode(); +- pte_unmap_unlock(ptep - 1, ptl); + + /* Only flush the TLB if we actually modified any entries */ + if (unmapped) + flush_tlb_range(walk->vma, start, end); + ++ arch_leave_lazy_mmu_mode(); ++ pte_unmap_unlock(ptep - 1, ptl); ++ + return 0; + } + diff --git a/queue-5.4/series b/queue-5.4/series index f60bf554364..54631d4a4da 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -10,3 +10,5 @@ libata-add-ata_horkage_nolpm-for-pioneer-bdr-207m-and-bdr-205.patch mmc-moxart-fix-4-bit-bus-width-and-remove-8-bit-bus-width.patch mm-page_alloc-fix-race-condition-between-build_all_zonelists-and-page-allocation.patch mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch +mm-migrate_device.c-flush-tlb-while-holding-ptl.patch +mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch -- 2.47.3