From: Greg Kroah-Hartman Date: Wed, 4 Nov 2020 09:06:15 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.14.204~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=831d01b8814707abe59c79d22e5f141779a4741c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tlb-switching-race.patch --- diff --git a/queue-4.19/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tlb-switching-race.patch b/queue-4.19/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tlb-switching-race.patch new file mode 100644 index 00000000000..ab89d407999 --- /dev/null +++ b/queue-4.19/mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tlb-switching-race.patch @@ -0,0 +1,108 @@ +From d53c3dfb23c45f7d4f910c3a3ca84bf0a99c6143 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 14 Sep 2020 14:52:16 +1000 +Subject: mm: fix exec activate_mm vs TLB shootdown and lazy tlb switching race + +From: Nicholas Piggin + +commit d53c3dfb23c45f7d4f910c3a3ca84bf0a99c6143 upstream. + +Reading and modifying current->mm and current->active_mm and switching +mm should be done with irqs off, to prevent races seeing an intermediate +state. + +This is similar to commit 38cf307c1f20 ("mm: fix kthread_use_mm() vs TLB +invalidate"). At exec-time when the new mm is activated, the old one +should usually be single-threaded and no longer used, unless something +else is holding an mm_users reference (which may be possible). + +Absent other mm_users, there is also a race with preemption and lazy tlb +switching. Consider the kernel_execve case where the current thread is +using a lazy tlb active mm: + + call_usermodehelper() + kernel_execve() + old_mm = current->mm; + active_mm = current->active_mm; + *** preempt *** --------------------> schedule() + prev->active_mm = NULL; + mmdrop(prev active_mm); + ... + <-------------------- schedule() + current->mm = mm; + current->active_mm = mm; + if (!old_mm) + mmdrop(active_mm); + +If we switch back to the kernel thread from a different mm, there is a +double free of the old active_mm, and a missing free of the new one. + +Closing this race only requires interrupts to be disabled while ->mm +and ->active_mm are being switched, but the TLB problem requires also +holding interrupts off over activate_mm. Unfortunately not all archs +can do that yet, e.g., arm defers the switch if irqs are disabled and +expects finish_arch_post_lock_switch() to be called to complete the +flush; um takes a blocking lock in activate_mm(). + +So as a first step, disable interrupts across the mm/active_mm updates +to close the lazy tlb preempt race, and provide an arch option to +extend that to activate_mm which allows architectures doing IPI based +TLB shootdowns to close the second race. + +This is a bit ugly, but in the interest of fixing the bug and backporting +before all architectures are converted this is a compromise. + +Signed-off-by: Nicholas Piggin +Acked-by: Peter Zijlstra (Intel) +[mpe: Manual backport to 4.19 due to membarrier_exec_mmap(mm) changes] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200914045219.3736466-2-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 7 +++++++ + fs/exec.c | 15 ++++++++++++++- + 2 files changed, 21 insertions(+), 1 deletion(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -366,6 +366,13 @@ config HAVE_RCU_TABLE_FREE + config HAVE_RCU_TABLE_INVALIDATE + bool + ++config ARCH_WANT_IRQS_OFF_ACTIVATE_MM ++ bool ++ help ++ Temporary select until all architectures can be converted to have ++ irqs disabled over activate_mm. Architectures that do IPI based TLB ++ shootdowns should enable this. ++ + config ARCH_HAVE_NMI_SAFE_CMPXCHG + bool + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1028,10 +1028,23 @@ static int exec_mmap(struct mm_struct *m + } + } + task_lock(tsk); ++ ++ local_irq_disable(); + active_mm = tsk->active_mm; +- tsk->mm = mm; + tsk->active_mm = mm; ++ tsk->mm = mm; ++ /* ++ * This prevents preemption while active_mm is being loaded and ++ * it and mm are being updated, which could cause problems for ++ * lazy tlb mm refcounting when these are updated by context ++ * switches. Not all architectures can handle irqs off over ++ * activate_mm yet. ++ */ ++ if (!IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM)) ++ local_irq_enable(); + activate_mm(active_mm, mm); ++ if (IS_ENABLED(CONFIG_ARCH_WANT_IRQS_OFF_ACTIVATE_MM)) ++ local_irq_enable(); + tsk->mm->vmacache_seqnum = 0; + vmacache_flush(tsk); + task_unlock(tsk); diff --git a/queue-4.19/powerpc-powernv-smp-fix-spurious-dbg-warning.patch b/queue-4.19/powerpc-powernv-smp-fix-spurious-dbg-warning.patch index aba773d383a..a3482d1075e 100644 --- a/queue-4.19/powerpc-powernv-smp-fix-spurious-dbg-warning.patch +++ b/queue-4.19/powerpc-powernv-smp-fix-spurious-dbg-warning.patch @@ -34,11 +34,9 @@ Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200804005410.146094-2-oohall@gmail.com Signed-off-by: Sasha Levin --- - arch/powerpc/platforms/powernv/smp.c | 2 +- + arch/powerpc/platforms/powernv/smp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/arch/powerpc/platforms/powernv/smp.c b/arch/powerpc/platforms/powernv/smp.c -index 8d49ba370c504..889c3dbec6fb9 100644 --- a/arch/powerpc/platforms/powernv/smp.c +++ b/arch/powerpc/platforms/powernv/smp.c @@ -47,7 +47,7 @@ @@ -50,6 +48,3 @@ index 8d49ba370c504..889c3dbec6fb9 100644 #endif static void pnv_smp_setup_cpu(int cpu) --- -2.27.0 - diff --git a/queue-4.19/series b/queue-4.19/series index bc8887dd139..adcbd52152e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -53,6 +53,7 @@ rdma-qedr-fix-memory-leak-in-iwarp-cm.patch ata-sata_nv-fix-retrieving-of-active-qcs.patch futex-fix-incorrect-should_fail_futex-handling.patch powerpc-powernv-smp-fix-spurious-dbg-warning.patch +mm-fix-exec-activate_mm-vs-tlb-shootdown-and-lazy-tlb-switching-race.patch powerpc-select-arch_want_irqs_off_activate_mm.patch sparc64-remove-mm_cpumask-clearing-to-fix-kthread_us.patch f2fs-add-trace-exit-in-exception-path.patch