Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2554806imu; Thu, 29 Nov 2018 06:50:01 -0800 (PST) X-Google-Smtp-Source: AFSGD/UWXjktirFrpH+5gfvqLVhxQdXX2rOfQeTmyL5L0eKaJp3uG++Chx/fIMCLoobpw214rqC+ X-Received: by 2002:a63:1321:: with SMTP id i33mr1518948pgl.380.1543503001415; Thu, 29 Nov 2018 06:50:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543503001; cv=none; d=google.com; s=arc-20160816; b=BNeodsBFragCHldRh7Q29LVONWjRRW92zRbFcNxhaIb3VOSYsi6B4JUqqI6pilQssn SX/qqKUebaK+tpyCq6pc0Zdzh8B3FBCXu6lYuEbKYnjRpawgeXtVjWSUEDrNJdrSf8T9 ETP++p1H1XCBtIBnws2wYNK0FBFxb0v/Pta8L6YxKHdiLef0rTcu4No2EXxg6sMnZ3qK gdqks/Agp30+XKQqfr0jDTNDcz4DelDRZDihTs6iQw973bXi4HxA78AfqwCh92sTyL5c 4R5//3ZFIBK7iyJtMqasiXGzhOUMLVJaipviEMzbO/DqaaxlMIWf1bTP6UZTVZnbiKGO 7RVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mvzmV+OrQjtKI1qEqB2lsv+QTdlrxs8F1ItvOqS0j64=; b=FiUR+CZZoPv80HisLt/wzoT2y8e+Q6A3a4ecww0IqdR42kZdnO/dZrakGeYOrGkxnD OXbvNcTTzrEJGMWHAMg7sOzJ2MpNUZChyc4K44Le/wKy1SLwqKhDPFGM0DFyNH2NMXXu vRzgFrcgcVlpH1RAUKNnTpYyRqyprSCD99nL6eanfn+5+hLIZlXGMDM6JPr491PaGkTI LW9WDxcgYp14DLSgSXzuchlyw90ROrabMrA9KyaEaWEBEypeKjcS0tKxh5SxXwXB4zQ9 r5jJufiSddMaiKx/srHmSmVbWb64lW58k5EdpKtv25RJLhMEr2GCXEdFq7WMhD4e1fo0 kDdg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uC0sWipX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w1si2162305pgi.66.2018.11.29.06.49.46; Thu, 29 Nov 2018 06:50:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=uC0sWipX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732933AbeK3Bat (ORCPT + 99 others); Thu, 29 Nov 2018 20:30:49 -0500 Received: from mail.kernel.org ([198.145.29.99]:58018 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731565AbeK3Bas (ORCPT ); Thu, 29 Nov 2018 20:30:48 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8F7D9205C9; Thu, 29 Nov 2018 14:25:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543501516; bh=Fyo6NhVPfWvk/rDtcmtmDaQkIdt0Utiu7fkHa9hXILs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uC0sWipX0oFwVTbC0x56hX5TcqlRZt7fa9FDi93KhqvnA/wMWYDsucQB1Tdau/KXz HtFpfrkwLhNWFdOIkQ+k4R0o0nxTDVzBrScMze2DUTrbHX7CGbIMdWx1JedGMnzHR+ ZsbO6o4B+OgfLwmt/GDcFL4cN8FadZgfe4We/Tl0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Aneesh Kumar K.V" , "Kirill A. Shutemov" , Willem de Bruijn , Eric Dumazet , Ido Schimmel , Andrew Morton , Linus Torvalds Subject: [PATCH 4.14 029/100] mm/memory.c: recheck page table entry with page table lock held Date: Thu, 29 Nov 2018 15:11:59 +0100 Message-Id: <20181129140101.264750396@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181129140058.768942700@linuxfoundation.org> References: <20181129140058.768942700@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Aneesh Kumar K.V commit ff09d7ec9786be4ad7589aa987d7dc66e2dd9160 upstream. We clear the pte temporarily during read/modify/write update of the pte. If we take a page fault while the pte is cleared, the application can get SIGBUS. One such case is with remap_pfn_range without a backing vm_ops->fault callback. do_fault will return SIGBUS in that case. cpu 0 cpu1 mprotect() ptep_modify_prot_start()/pte cleared. . . page fault. . . prep_modify_prot_commit() Fix this by taking page table lock and rechecking for pte_none. [aneesh.kumar@linux.ibm.com: fix crash observed with syzkaller run] Link: http://lkml.kernel.org/r/87va6bwlfg.fsf@linux.ibm.com Link: http://lkml.kernel.org/r/20180926031858.9692-1-aneesh.kumar@linux.ibm.com Signed-off-by: Aneesh Kumar K.V Acked-by: Kirill A. Shutemov Cc: Willem de Bruijn Cc: Eric Dumazet Cc: Ido Schimmel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/memory.c | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) --- a/mm/memory.c +++ b/mm/memory.c @@ -3697,10 +3697,36 @@ static int do_fault(struct vm_fault *vmf struct vm_area_struct *vma = vmf->vma; int ret; - /* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */ - if (!vma->vm_ops->fault) - ret = VM_FAULT_SIGBUS; - else if (!(vmf->flags & FAULT_FLAG_WRITE)) + /* + * The VMA was not fully populated on mmap() or missing VM_DONTEXPAND + */ + if (!vma->vm_ops->fault) { + /* + * If we find a migration pmd entry or a none pmd entry, which + * should never happen, return SIGBUS + */ + if (unlikely(!pmd_present(*vmf->pmd))) + ret = VM_FAULT_SIGBUS; + else { + vmf->pte = pte_offset_map_lock(vmf->vma->vm_mm, + vmf->pmd, + vmf->address, + &vmf->ptl); + /* + * Make sure this is not a temporary clearing of pte + * by holding ptl and checking again. A R/M/W update + * of pte involves: take ptl, clearing the pte so that + * we don't have concurrent modification by hardware + * followed by an update. + */ + if (unlikely(pte_none(*vmf->pte))) + ret = VM_FAULT_SIGBUS; + else + ret = VM_FAULT_NOPAGE; + + pte_unmap_unlock(vmf->pte, vmf->ptl); + } + } else if (!(vmf->flags & FAULT_FLAG_WRITE)) ret = do_read_fault(vmf); else if (!(vma->vm_flags & VM_SHARED)) ret = do_cow_fault(vmf);