The patch titled
Subject: mm: fix the crash observed with syzkaller run
has been added to the -mm tree. Its filename is
mm-recheck-page-table-entry-with-page-table-lock-held-fix.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/mm-recheck-page-table-entry-with-page-table-lock-held-fix.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/mm-recheck-page-table-entry-with-page-table-lock-held-fix.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: "Aneesh Kumar K.V" <aneesh.kumar@xxxxxxxxxxxxx>
Subject: mm: fix the crash observed with syzkaller run
Call Trace:
handle_mm_fault+0x54f/0xc70 mm/memory.c:3923
__do_page_fault+0x567/0xd10 arch/x86/mm/fault.c:1355
do_page_fault+0xed/0x7d1 arch/x86/mm/fault.c:1430
page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1139
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20
We mark vmf->pte NULL if we identify a none pte on page table walk. Hence
we should reread vmf-pte to recheck for none pte with page table lock held.
Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@xxxxxxxxxxxxx
Reported-by: Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx>
Cc: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Cc: Ido Schimmel <idosch@xxxxxxxxxx>
Cc: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
--- a/mm/memory.c~mm-recheck-page-table-entry-with-page-table-lock-held-fix
+++ a/mm/memory.c
@@ -3747,14 +3747,17 @@ static vm_fault_t do_fault(struct vm_fau
* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND
*/
if (!vma->vm_ops->fault) {
-
/*
- * pmd entries won't be marked none during a R/M/W cycle.
+ * If we find a migration pmd entry or a none pmd entry, which
+ * should never happen, return SIGBUS
*/
- if (unlikely(pmd_none(*vmf->pmd)))
+ if (unlikely(!pmd_present(*vmf->pmd)))
ret = VM_FAULT_SIGBUS;
else {
- vmf->ptl = pte_lockptr(vmf->vma->vm_mm, vmf->pmd);
+ vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm,
+ vmf->pmd,
+ vmf->address,
+ &vmf->ptl);
/*
* Make sure this is not a temporary clearing of pte
* by holding ptl and checking again. A R/M/W update
@@ -3762,12 +3765,12 @@ static vm_fault_t do_fault(struct vm_fau
* we don't have concurrent modification by hardware
* followed by an update.
*/
- spin_lock(vmf->ptl);
if (unlikely(pte_none(*vmf->pte)))
ret = VM_FAULT_SIGBUS;
else
ret = VM_FAULT_NOPAGE;
- spin_unlock(vmf->ptl);
+
+ pte_unmap_unlock(vmf->pte, vmf->ptl);
}
} else if (!(vmf->flags & FAULT_FLAG_WRITE))
ret = do_read_fault(vmf);
_
Patches currently in -mm which might be from aneesh.kumar@xxxxxxxxxxxxx are
mm-recheck-page-table-entry-with-page-table-lock-held.patch
mm-recheck-page-table-entry-with-page-table-lock-held-fix.patch
