From 0444529f63745df83289824b75cc28cfa1dfd8c7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 2 Oct 2022 12:28:56 +0200 Subject: [PATCH] 5.15-stable patches added patches: mm-fix-dereferencing-possible-err_ptr.patch mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch mm-hwpoison-check-mm-when-killing-accessing-process.patch mm-migrate_device.c-flush-tlb-while-holding-ptl.patch --- ...m-fix-dereferencing-possible-err_ptr.patch | 39 ++++++++++ ..._pageout-mishandling-on-non-lru-page.patch | 55 ++++++++++++++ ...ck-mm-when-killing-accessing-process.patch | 53 +++++++++++++ ...device.c-flush-tlb-while-holding-ptl.patch | 74 +++++++++++++++++++ queue-5.15/series | 4 + 5 files changed, 225 insertions(+) create mode 100644 queue-5.15/mm-fix-dereferencing-possible-err_ptr.patch create mode 100644 queue-5.15/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch create mode 100644 queue-5.15/mm-hwpoison-check-mm-when-killing-accessing-process.patch create mode 100644 queue-5.15/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch diff --git a/queue-5.15/mm-fix-dereferencing-possible-err_ptr.patch b/queue-5.15/mm-fix-dereferencing-possible-err_ptr.patch new file mode 100644 index 00000000000..4ab1d8bfb67 --- /dev/null +++ b/queue-5.15/mm-fix-dereferencing-possible-err_ptr.patch @@ -0,0 +1,39 @@ +From 4eb5bbde3ccb710d3b85bfb13466612e56393369 Mon Sep 17 00:00:00 2001 +From: Binyi Han +Date: Sun, 4 Sep 2022 00:46:47 -0700 +Subject: mm: fix dereferencing possible ERR_PTR + +From: Binyi Han + +commit 4eb5bbde3ccb710d3b85bfb13466612e56393369 upstream. + +Smatch checker complains that 'secretmem_mnt' dereferencing possible +ERR_PTR(). Let the function return if 'secretmem_mnt' is ERR_PTR, to +avoid deferencing it. + +Link: https://lkml.kernel.org/r/20220904074647.GA64291@cloud-MacBookPro +Fixes: 1507f51255c9f ("mm: introduce memfd_secret system call to create "secret" memory areas") +Signed-off-by: Binyi Han +Reviewed-by: Andrew Morton +Cc: Mike Rapoport +Cc: Ammar Faizi +Cc: Hagen Paul Pfeifer +Cc: James Bottomley +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/secretmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/secretmem.c ++++ b/mm/secretmem.c +@@ -283,7 +283,7 @@ static int secretmem_init(void) + + secretmem_mnt = kern_mount(&secretmem_fs); + if (IS_ERR(secretmem_mnt)) +- ret = PTR_ERR(secretmem_mnt); ++ return PTR_ERR(secretmem_mnt); + + /* prevent secretmem mappings from ever getting PROT_EXEC */ + secretmem_mnt->mnt_flags |= MNT_NOEXEC; diff --git a/queue-5.15/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch b/queue-5.15/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch new file mode 100644 index 00000000000..11ecbe86da7 --- /dev/null +++ b/queue-5.15/mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch @@ -0,0 +1,55 @@ +From 58d426a7ba92870d489686dfdb9d06b66815a2ab Mon Sep 17 00:00:00 2001 +From: Minchan Kim +Date: Thu, 8 Sep 2022 08:12:04 -0700 +Subject: mm: fix madivse_pageout mishandling on non-LRU page +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minchan Kim + +commit 58d426a7ba92870d489686dfdb9d06b66815a2ab upstream. + +MADV_PAGEOUT tries to isolate non-LRU pages and gets a warning from +isolate_lru_page below. + +Fix it by checking PageLRU in advance. + +------------[ cut here ]------------ +trying to isolate tail page +WARNING: CPU: 0 PID: 6175 at mm/folio-compat.c:158 isolate_lru_page+0x130/0x140 +Modules linked in: +CPU: 0 PID: 6175 Comm: syz-executor.0 Not tainted 5.18.12 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:isolate_lru_page+0x130/0x140 + +Link: https://lore.kernel.org/linux-mm/485f8c33.2471b.182d5726afb.Coremail.hantianshuo@iie.ac.cn/ +Link: https://lkml.kernel.org/r/20220908151204.762596-1-minchan@kernel.org +Fixes: 1a4e58cce84e ("mm: introduce MADV_PAGEOUT") +Signed-off-by: Minchan Kim +Reported-by: 韩天ç`• +Suggested-by: Yang Shi +Acked-by: Yang Shi +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/madvise.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -436,8 +436,11 @@ regular_page: + continue; + } + +- /* Do not interfere with other mappings of this page */ +- if (page_mapcount(page) != 1) ++ /* ++ * Do not interfere with other mappings of this page and ++ * non-LRU page. ++ */ ++ if (!PageLRU(page) || page_mapcount(page) != 1) + continue; + + VM_BUG_ON_PAGE(PageTransCompound(page), page); diff --git a/queue-5.15/mm-hwpoison-check-mm-when-killing-accessing-process.patch b/queue-5.15/mm-hwpoison-check-mm-when-killing-accessing-process.patch new file mode 100644 index 00000000000..e3fe59e26af --- /dev/null +++ b/queue-5.15/mm-hwpoison-check-mm-when-killing-accessing-process.patch @@ -0,0 +1,53 @@ +From 77677cdbc2aa4b5d5d839562793d3d126201d18d Mon Sep 17 00:00:00 2001 +From: Shuai Xue +Date: Wed, 14 Sep 2022 14:49:35 +0800 +Subject: mm,hwpoison: check mm when killing accessing process + +From: Shuai Xue + +commit 77677cdbc2aa4b5d5d839562793d3d126201d18d upstream. + +The GHES code calls memory_failure_queue() from IRQ context to queue work +into workqueue and schedule it on the current CPU. Then the work is +processed in memory_failure_work_func() by kworker and calls +memory_failure(). + +When a page is already poisoned, commit a3f5d80ea401 ("mm,hwpoison: send +SIGBUS with error virutal address") make memory_failure() call +kill_accessing_process() that: + + - holds mmap locking of current->mm + - does pagetable walk to find the error virtual address + - and sends SIGBUS to the current process with error info. + +However, the mm of kworker is not valid, resulting in a null-pointer +dereference. So check mm when killing the accessing process. + +[akpm@linux-foundation.org: remove unrelated whitespace alteration] +Link: https://lkml.kernel.org/r/20220914064935.7851-1-xueshuai@linux.alibaba.com +Fixes: a3f5d80ea401 ("mm,hwpoison: send SIGBUS with error virutal address") +Signed-off-by: Shuai Xue +Reviewed-by: Miaohe Lin +Acked-by: Naoya Horiguchi +Cc: Huang Ying +Cc: Baolin Wang +Cc: Bixuan Cui +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -700,6 +700,9 @@ static int kill_accessing_process(struct + }; + priv.tk.tsk = p; + ++ if (!p->mm) ++ return -EFAULT; ++ + mmap_read_lock(p->mm); + ret = walk_page_range(p->mm, 0, TASK_SIZE, &hwp_walk_ops, + (void *)&priv); diff --git a/queue-5.15/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch b/queue-5.15/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch new file mode 100644 index 00000000000..9949b159eef --- /dev/null +++ b/queue-5.15/mm-migrate_device.c-flush-tlb-while-holding-ptl.patch @@ -0,0 +1,74 @@ +From 60bae73708963de4a17231077285bd9ff2f41c44 Mon Sep 17 00:00:00 2001 +From: Alistair Popple +Date: Fri, 2 Sep 2022 10:35:51 +1000 +Subject: mm/migrate_device.c: flush TLB while holding PTL + +From: Alistair Popple + +commit 60bae73708963de4a17231077285bd9ff2f41c44 upstream. + +When clearing a PTE the TLB should be flushed whilst still holding the PTL +to avoid a potential race with madvise/munmap/etc. For example consider +the following sequence: + + CPU0 CPU1 + ---- ---- + + migrate_vma_collect_pmd() + pte_unmap_unlock() + madvise(MADV_DONTNEED) + -> zap_pte_range() + pte_offset_map_lock() + [ PTE not present, TLB not flushed ] + pte_unmap_unlock() + [ page is still accessible via stale TLB ] + flush_tlb_range() + +In this case the page may still be accessed via the stale TLB entry after +madvise returns. Fix this by flushing the TLB while holding the PTL. + +Fixes: 8c3328f1f36a ("mm/migrate: migrate_vma() unmap page from vma while collecting pages") +Link: https://lkml.kernel.org/r/9f801e9d8d830408f2ca27821f606e09aa856899.1662078528.git-series.apopple@nvidia.com +Signed-off-by: Alistair Popple +Reported-by: Nadav Amit +Reviewed-by: "Huang, Ying" +Acked-by: David Hildenbrand +Acked-by: Peter Xu +Cc: Alex Sierra +Cc: Ben Skeggs +Cc: Felix Kuehling +Cc: huang ying +Cc: Jason Gunthorpe +Cc: John Hubbard +Cc: Karol Herbst +Cc: Logan Gunthorpe +Cc: Lyude Paul +Cc: Matthew Wilcox +Cc: Paul Mackerras +Cc: Ralph Campbell +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/migrate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/migrate.c ++++ b/mm/migrate.c +@@ -2422,13 +2422,14 @@ next: + migrate->dst[migrate->npages] = 0; + migrate->src[migrate->npages++] = mpfn; + } +- arch_leave_lazy_mmu_mode(); +- pte_unmap_unlock(ptep - 1, ptl); + + /* Only flush the TLB if we actually modified any entries */ + if (unmapped) + flush_tlb_range(walk->vma, start, end); + ++ arch_leave_lazy_mmu_mode(); ++ pte_unmap_unlock(ptep - 1, ptl); ++ + return 0; + } + diff --git a/queue-5.15/series b/queue-5.15/series index 856e4bac420..a1a6b068255 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -28,3 +28,7 @@ mmc-moxart-fix-4-bit-bus-width-and-remove-8-bit-bus-width.patch mmc-hsq-fix-data-stomping-during-mmc-recovery.patch mm-page_alloc-fix-race-condition-between-build_all_zonelists-and-page-allocation.patch mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch +mm-fix-dereferencing-possible-err_ptr.patch +mm-migrate_device.c-flush-tlb-while-holding-ptl.patch +mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch +mm-hwpoison-check-mm-when-killing-accessing-process.patch -- 2.47.3