Patch "powerpc/pseries/vas: Hold mmap_mutex after mmap lock during window close" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    powerpc/pseries/vas: Hold mmap_mutex after mmap lock during window close

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     powerpc-pseries-vas-hold-mmap_mutex-after-mmap-lock-.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit bf2fb3cbff40cf4d6375d9d8481592a20bfa3ff3
Author: Haren Myneni <haren@xxxxxxxxxxxxx>
Date:   Sun Jul 16 03:05:06 2023 -0700

    powerpc/pseries/vas: Hold mmap_mutex after mmap lock during window close
    
    [ Upstream commit b59c9dc4d9d47b3c4572d826603fde507055b656 ]
    
    Commit 8ef7b9e1765a ("powerpc/pseries/vas: Close windows with DLPAR
    core removal") unmaps the window paste address and issues HCALL to
    close window in the hypervisor for migration or DLPAR core removal
    events. So holds mmap_mutex and then mmap lock before unmap the
    paste address. But if the user space issue mmap paste address at
    the same time with the migration event, coproc_mmap() is called
    after holding the mmap lock which can trigger deadlock when trying
    to acquire mmap_mutex in coproc_mmap().
    
    t1: mmap() call to mmap              t2: Migration event
        window paste address
    
    do_mmap2()                           migration_store()
     ksys_mmap_pgoff()                    pseries_migrate_partition()
      vm_mmap_pgoff()                      vas_migration_handler()
        Acquire mmap lock                   reconfig_close_windows()
        do_mmap()                             lock mmap_mutex
         mmap_region()                        Acquire mmap lock
          call_mmap()                         //Wait for mmap lock
           coproc_mmap()                        unmap vma
             lock mmap_mutex                    update window status
             //wait for mmap_mutex            Release mmap lock
              mmap vma                        unlock mmap_mutex
              update window status
             unlock mmap_mutex
        ...
        Release mmap lock
    
    Fix this deadlock issue by holding mmap lock first before mmap_mutex
    in reconfig_close_windows().
    
    Fixes: 8ef7b9e1765a ("powerpc/pseries/vas: Close windows with DLPAR core removal")
    Signed-off-by: Haren Myneni <haren@xxxxxxxxxxxxx>
    Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
    Link: https://msgid.link/20230716100506.7833-1-haren@xxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/arch/powerpc/platforms/pseries/vas.c b/arch/powerpc/platforms/pseries/vas.c
index 9a44a98ba3420..3fbc2a6aa319d 100644
--- a/arch/powerpc/platforms/pseries/vas.c
+++ b/arch/powerpc/platforms/pseries/vas.c
@@ -744,6 +744,12 @@ static int reconfig_close_windows(struct vas_caps *vcap, int excess_creds,
 		}
 
 		task_ref = &win->vas_win.task_ref;
+		/*
+		 * VAS mmap (coproc_mmap()) and its fault handler
+		 * (vas_mmap_fault()) are called after holding mmap lock.
+		 * So hold mmap mutex after mmap_lock to avoid deadlock.
+		 */
+		mmap_write_lock(task_ref->mm);
 		mutex_lock(&task_ref->mmap_mutex);
 		vma = task_ref->vma;
 		/*
@@ -752,7 +758,6 @@ static int reconfig_close_windows(struct vas_caps *vcap, int excess_creds,
 		 */
 		win->vas_win.status |= flag;
 
-		mmap_write_lock(task_ref->mm);
 		/*
 		 * vma is set in the original mapping. But this mapping
 		 * is done with mmap() after the window is opened with ioctl.
@@ -762,8 +767,8 @@ static int reconfig_close_windows(struct vas_caps *vcap, int excess_creds,
 		if (vma)
 			zap_vma_pages(vma);
 
-		mmap_write_unlock(task_ref->mm);
 		mutex_unlock(&task_ref->mmap_mutex);
+		mmap_write_unlock(task_ref->mm);
 		/*
 		 * Close VAS window in the hypervisor, but do not
 		 * free vas_window struct since it may be reused



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux