The patch titled
Subject: mm/memory.c: recheck page table entry with page table lock held
has been added to the -mm tree. Its filename is
mm-recheck-page-table-entry-with-page-table-lock-held.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/mm-recheck-page-table-entry-with-page-table-lock-held.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/mm-recheck-page-table-entry-with-page-table-lock-held.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: "Aneesh Kumar K.V" <aneesh.kumar@xxxxxxxxxxxxx>
Subject: mm/memory.c: recheck page table entry with page table lock held
We clear the pte temporarily during read/modify/write update of the pte.
If we take a page fault while the pte is cleared, the application can get
SIGBUS. One such case is with remap_pfn_range without a backing
vm_ops->fault callback. do_fault will return SIGBUS in that case.
cpu 0 cpu1
mprotect()
ptep_modify_prot_start()/pte cleared.
.
. page fault.
.
.
prep_modify_prot_commit()
Fix this by taking page table lock and rechecking for pte_none.
Link: http://lkml.kernel.org/r/20180926031858.9692-1-aneesh.kumar@xxxxxxxxxxxxx
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxx>
Acked-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
mm/memory.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
--- a/mm/memory.c~mm-recheck-page-table-entry-with-page-table-lock-held
+++ a/mm/memory.c
@@ -3743,10 +3743,33 @@ static vm_fault_t do_fault(struct vm_fau
struct vm_area_struct *vma = vmf->vma;
vm_fault_t ret;
- /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
- if (!vma->vm_ops->fault)
- ret = VM_FAULT_SIGBUS;
- else if (!(vmf->flags & FAULT_FLAG_WRITE))
+ /*
+ * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND
+ */
+ if (!vma->vm_ops->fault) {
+
+ /*
+ * pmd entries won't be marked none during a R/M/W cycle.
+ */
+ if (unlikely(pmd_none(*vmf->pmd)))
+ ret = VM_FAULT_SIGBUS;
+ else {
+ vmf->ptl = pte_lockptr(vmf->vma->vm_mm, vmf->pmd);
+ /*
+ * Make sure this is not a temporary clearing of pte
+ * by holding ptl and checking again. A R/M/W update
+ * of pte involves: take ptl, clearing the pte so that
+ * we don't have concurrent modification by hardware
+ * followed by an update.
+ */
+ spin_lock(vmf->ptl);
+ if (unlikely(pte_none(*vmf->pte)))
+ ret = VM_FAULT_SIGBUS;
+ else
+ ret = VM_FAULT_NOPAGE;
+ spin_unlock(vmf->ptl);
+ }
+ } else if (!(vmf->flags & FAULT_FLAG_WRITE))
ret = do_read_fault(vmf);
else if (!(vma->vm_flags & VM_SHARED))
ret = do_cow_fault(vmf);
_
Patches currently in -mm which might be from aneesh.kumar@xxxxxxxxxxxxx are
mm-recheck-page-table-entry-with-page-table-lock-held.patch
