[folded-merged] mm-recheck-page-table-entry-with-page-table-lock-held-fix.patch removed from -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Fri, 26 Oct 2018 14:47:10 -0700

The patch titled
     Subject: mm: fix the crash observed with syzkaller run
has been removed from the -mm tree.  Its filename was
     mm-recheck-page-table-entry-with-page-table-lock-held-fix.patch

This patch was dropped because it was folded into mm-recheck-page-table-entry-with-page-table-lock-held.patch

------------------------------------------------------
From: "Aneesh Kumar K.V" <aneesh.kumar@xxxxxxxxxxxxx>
Subject: mm: fix the crash observed with syzkaller run

Call Trace:
  handle_mm_fault+0x54f/0xc70 mm/memory.c:3923
  __do_page_fault+0x567/0xd10 arch/x86/mm/fault.c:1355
  do_page_fault+0xed/0x7d1 arch/x86/mm/fault.c:1430
  page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1139
RIP: 0010:copy_user_enhanced_fast_string+0xe/0x20

We mark vmf->pte NULL if we identify a none pte on page table walk. Hence
we should reread vmf-pte to recheck for none pte with page table lock held.

Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@xxxxxxxxxxxxx
Reported-by: Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx>
Cc: Eric Dumazet <eric.dumazet@xxxxxxxxx>
Cc: Ido Schimmel <idosch@xxxxxxxxxx>
Cc: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

--- a/mm/memory.c~mm-recheck-page-table-entry-with-page-table-lock-held-fix
+++ a/mm/memory.c
@@ -3500,14 +3500,17 @@ static vm_fault_t do_fault(struct vm_fau
 	 * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND
 	 */
 	if (!vma->vm_ops->fault) {
-
 		/*
-		 * pmd entries won't be marked none during a R/M/W cycle.
+		 * If we find a migration pmd entry or a none pmd entry, which
+		 * should never happen, return SIGBUS
 		 */
-		if (unlikely(pmd_none(*vmf->pmd)))
+		if (unlikely(!pmd_present(*vmf->pmd)))
 			ret = VM_FAULT_SIGBUS;
 		else {
-			vmf->ptl = pte_lockptr(vmf->vma->vm_mm, vmf->pmd);
+			vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm,
+						       vmf->pmd,
+						       vmf->address,
+						       &vmf->ptl);
 			/*
 			 * Make sure this is not a temporary clearing of pte
 			 * by holding ptl and checking again. A R/M/W update
@@ -3515,12 +3518,12 @@ static vm_fault_t do_fault(struct vm_fau
 			 * we don't have concurrent modification by hardware
 			 * followed by an update.
 			 */
-			spin_lock(vmf->ptl);
 			if (unlikely(pte_none(*vmf->pte)))
 				ret = VM_FAULT_SIGBUS;
 			else
 				ret = VM_FAULT_NOPAGE;
-			spin_unlock(vmf->ptl);
+
+			pte_unmap_unlock(vmf->pte, vmf->ptl);
 		}
 	} else if (!(vmf->flags & FAULT_FLAG_WRITE))
 		ret = do_read_fault(vmf);
_

Patches currently in -mm which might be from aneesh.kumar@xxxxxxxxxxxxx are

mm-recheck-page-table-entry-with-page-table-lock-held.patch







