On Thu, Jun 07, 2018 at 03:13:44PM -0700, Andrew Morton wrote: > This patch is quite urgent and is tagged for -stable backporting, yet > it remains in an unreviewed state. Any takers? It looks a straightforward safe fix, on x86 hva_to_gfn_memslot would zap those bits and hide the misalignment caused by the low metadata bits being erroneously left set in the address, but the arm code notices when that's the last page in the memslot and the hva_end is getting aligned and the size is below one page. > [35380.933345] [<ffff000008088f00>] dump_backtrace+0x0/0x22c > [35380.938723] [<ffff000008089150>] show_stack+0x24/0x2c > [35380.943759] [<ffff00000893c078>] dump_stack+0x8c/0xb0 > [35380.948794] [<ffff00000820ab50>] bad_page+0xf4/0x154 > [35380.953740] [<ffff000008211ce8>] free_pages_check_bad+0x90/0x9c > [35380.959642] [<ffff00000820c430>] free_pcppages_bulk+0x464/0x518 > [35380.965545] [<ffff00000820db98>] free_hot_cold_page+0x22c/0x300 > [35380.971448] [<ffff0000082176fc>] __put_page+0x54/0x60 > [35380.976484] [<ffff0000080b1164>] unmap_stage2_range+0x170/0x2b4 > [35380.982385] [<ffff0000080b12d8>] kvm_unmap_hva_handler+0x30/0x40 > [35380.988375] [<ffff0000080b0104>] handle_hva_to_gpa+0xb0/0xec > [35380.994016] [<ffff0000080b2644>] kvm_unmap_hva_range+0x5c/0xd0 > [35380.999833] [<ffff0000080a8054>] > > I even injected a fault on purpose in kvm_unmap_hva_range by seting > size=size-0x200, the call trace is similar as above. So I thought the > panic is similarly caused by the root cause of WARN_ON. I think the problem triggers in the addr += PAGE_SIZE of unmap_stage2_ptes that never matches end because end is aligned but addr is not. } while (pte++, addr += PAGE_SIZE, addr != end); x86 again only works on hva_start/hva_end after converting it to gfn_start/end and that being in pfn units the bits are zapped before they risk to cause trouble. > > Link: http://lkml.kernel.org/r/1525403506-6750-1-git-send-email-hejianet@xxxxxxxxx > Signed-off-by: Jia He <jia.he@xxxxxxxxxxxxxxxx> > Cc: Suzuki K Poulose <Suzuki.Poulose@xxxxxxx> > Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx> > Cc: Minchan Kim <minchan@xxxxxxxxxx> > Cc: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxxxxxxx> > Cc: Arvind Yadav <arvind.yadav.cs@xxxxxxxxx> > Cc: Mike Rapoport <rppt@xxxxxxxxxxxxxxxxxx> > Cc: Jia He <hejianet@xxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > --- > Reviewed-by: Andrea Arcangeli <aarcange@xxxxxxxxxx>
