qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Centos-kernel-stream-9/arch/sparc/mm
History
Rafael Aquini aab4f9828f mm: fix race between __split_huge_pmd_locked() and GUP-fast 
JIRA: https://issues.redhat.com/browse/RHEL-27745

This patch is a backport of the following upstream commit:
commit 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7
Author: Ryan Roberts <ryan.roberts@arm.com>
Date:   Wed May 1 15:33:10 2024 +0100

    mm: fix race between __split_huge_pmd_locked() and GUP-fast

    __split_huge_pmd_locked() can be called for a present THP, devmap or
    (non-present) migration entry.  It calls pmdp_invalidate() unconditionally
    on the pmdp and only determines if it is present or not based on the
    returned old pmd.  This is a problem for the migration entry case because
    pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a
    present pmd.

    On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future
    call to pmd_present() will return true.  And therefore any lockless
    pgtable walker could see the migration entry pmd in this state and start
    interpretting the fields as if it were present, leading to BadThings (TM).
    GUP-fast appears to be one such lockless pgtable walker.

    x86 does not suffer the above problem, but instead pmd_mkinvalid() will
    corrupt the offset field of the swap entry within the swap pte.  See link
    below for discussion of that problem.

    Fix all of this by only calling pmdp_invalidate() for a present pmd.  And
    for good measure let's add a warning to all implementations of
    pmdp_invalidate[_ad]().  I've manually reviewed all other
    pmdp_invalidate[_ad]() call sites and believe all others to be conformant.

    This is a theoretical bug found during code review.  I don't have any test
    case to trigger it in practice.

    Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com
    Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/
    Fixes: 84c3fc4e9c ("mm: thp: check pmd migration entry in common path")
    Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
    Reviewed-by: Zi Yan <ziy@nvidia.com>
    Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
    Acked-by: David Hildenbrand <david@redhat.com>
    Cc: Andreas Larsson <andreas@gaisler.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
    Cc: Borislav Petkov (AMD) <bp@alien8.de>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
    Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
    Cc: Nicholas Piggin <npiggin@gmail.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Sven Schnelle <svens@linux.ibm.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Will Deacon <will@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

Signed-off-by: Rafael Aquini <raquini@redhat.com>
 		2024-12-09 12:25:09 -05:00
..
Makefile sparc32: switch to generic extables 2021-01-03 20:05:18 -05:00
fault_32.c mm: avoid unnecessary page fault retires on shared memory types 2023-03-24 11:18:32 -04:00
fault_64.c mm: always expand the stack with the mmap write lock held 2024-09-05 20:37:19 -04:00
hugetlbpage.c mm: merge pte_mkhuge() call into arch_make_huge_pte() 2022-10-12 07:27:16 -04:00
hypersparc.S sparc32: mm: Restructure sparc32 MMU page-table layout 2020-05-13 15:32:00 -07:00
init_32.c mm: remove kern_addr_valid() completely 2024-03-20 09:42:47 -04:00
init_64.c mm/treewide: replace pud_large() with pud_leaf() 2024-12-09 12:24:44 -05:00
init_64.h
io-unit.c dma-mapping: split <linux/dma-mapping.h> 2020-10-06 07:07:03 +02:00
iommu.c dma-mapping: split <linux/dma-mapping.h> 2020-10-06 07:07:03 +02:00
leon_mm.c
mm_32.h sparc32: kill lookup_fault() 2021-01-03 20:05:14 -05:00
srmmu.c sparc: Unbreak the build 2023-01-09 13:32:43 -05:00
srmmu_access.S
swift.S
tlb.c mm: fix race between __split_huge_pmd_locked() and GUP-fast 2024-12-09 12:25:09 -05:00
tsb.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
tsunami.S
ultra.S mm: reorder includes after introduction of linux/pgtable.h 2020-06-09 09:39:13 -07:00
viking.S sparc32: mm: Restructure sparc32 MMU page-table layout 2020-05-13 15:32:00 -07:00