Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp452518pxb; Wed, 3 Mar 2021 07:20:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJwI5uUqXtWy5iPYcklrentPlCqG+NlNzx2Unos8fuMuE5qv6dCf2Q8fnoIwqip0RHKq11qV X-Received: by 2002:a17:906:780b:: with SMTP id u11mr26322345ejm.492.1614784800289; Wed, 03 Mar 2021 07:20:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614784800; cv=none; d=google.com; s=arc-20160816; b=Zka0XEBt8Jj2tvrPASoMaCw2jF+si8UR2HBhhGCtWdkQ+nQbcub/RQYdXSPo2KD8em h8lDnGeZmFdKvOzx+xNufGNEFC/06yNgFc5LubDvEQZOCa+UNb3Dw3Q+Et4z4dw9/ta2 DvaM5ioQx9B3IjaERI8c4PaXUAD05kLZfkPDgJ4PieSBjYdnB/LsvASRdPiq1plwNkJv mYT4bdOOLb+MM8zvxkQjRoc8OA+yV8L4QqLEuvc0YiEuyftK3/hfFSMnBIzkR+duEDdz kM+bzWDRvPM2tFenPofOqNmpeu0HfV8pnHJkFDMxC/jqbX7yjDObuo2awnOm8M2XQFcF VhxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=hCxSjSuOsrsqgrKAldm0nm3GzTjFXCCeifJ0RBQNwPs=; b=t0ZEvx+0/wLrl6Cu47o+86Lp0iov8Cbpqdbgs2buKT5WXtyvcHiArNT9soLe9WytF3 +80xQ2tBf/Z0rHpZNH6szewOwL1B8PQ1fZWDWtHF4v1OHw//k5mHmjJz1eSBmxWZoZT2 H9Izj685K6EvavGzgKqDL6mzp43OXRYMK5VGtIevevS8OB021i2jlvUVsX1wEBGo6v42 1MJWA5R2/UcAp2PhqOw0AyWMndVFdJFfGITGNcXIgWNBJ0qX8kjoyJCG42TMeBhVfzPx 4KQjD5jZPWOuWIgSBz0Q5THm5NITnRjuBrj5LqB+yyJDuR8NLr1e6EjUdrTXMW2aE5lI zn/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PZsXh5bj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g20si12486827edq.32.2021.03.03.07.19.06; Wed, 03 Mar 2021 07:20:00 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=PZsXh5bj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343826AbhCAWh7 (ORCPT + 99 others); Mon, 1 Mar 2021 17:37:59 -0500 Received: from mail.kernel.org ([198.145.29.99]:34888 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238319AbhCARpt (ORCPT ); Mon, 1 Mar 2021 12:45:49 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9E76864F5D; Mon, 1 Mar 2021 16:58:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1614617923; bh=mMMfw9Xu1sJlxUm8o21wEnJopXf6fQPiE9MWVJiRnw4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PZsXh5bjTHc+yZ2koG1zYumBZG+0l4FQFF/xmViC6tPZctPCKfZmFetOxs1HJINFc T7ojoaN+iegwLmQywlCk7UjgxKf4lSwqskhXGBBcS2AftBch2ufMcFfpnhjbdUkUPx FcnOirR+BGr/aHRxvQYKqBxN/93zRGVt/raOIEV8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hongxiang Lou , Miaohe Lin , Thomas Gleixner , Dave Hansen , Andi Kleen , Josh Poimboeuf , Andrew Morton , Linus Torvalds , Sasha Levin Subject: [PATCH 5.4 227/340] mm/memory.c: fix potential pte_unmap_unlock pte error Date: Mon, 1 Mar 2021 17:12:51 +0100 Message-Id: <20210301161059.473047400@linuxfoundation.org> X-Mailer: git-send-email 2.30.1 In-Reply-To: <20210301161048.294656001@linuxfoundation.org> References: <20210301161048.294656001@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Miaohe Lin [ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ] Since commit 42e4089c7890 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings"), when the first pfn modify is not allowed, we would break the loop with pte unchanged. Then the wrong pte - 1 would be passed to pte_unmap_unlock. Andi said: "While the fix is correct, I'm not sure if it actually is a real bug. Is there any architecture that would do something else than unlocking the underlying page? If it's just the underlying page then it should be always the same page, so no bug" Link: https://lkml.kernel.org/r/20210109080118.20885-1-linmiaohe@huawei.com Fixes: 42e4089c789 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings") Signed-off-by: Hongxiang Lou Signed-off-by: Miaohe Lin Cc: Thomas Gleixner Cc: Dave Hansen Cc: Andi Kleen Cc: Josh Poimboeuf Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- mm/memory.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index b23831132933a..9710e94ff4f21 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1804,11 +1804,11 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, unsigned long addr, unsigned long end, unsigned long pfn, pgprot_t prot) { - pte_t *pte; + pte_t *pte, *mapped_pte; spinlock_t *ptl; int err = 0; - pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); + mapped_pte = pte = pte_alloc_map_lock(mm, pmd, addr, &ptl); if (!pte) return -ENOMEM; arch_enter_lazy_mmu_mode(); @@ -1822,7 +1822,7 @@ static int remap_pte_range(struct mm_struct *mm, pmd_t *pmd, pfn++; } while (pte++, addr += PAGE_SIZE, addr != end); arch_leave_lazy_mmu_mode(); - pte_unmap_unlock(pte - 1, ptl); + pte_unmap_unlock(mapped_pte, ptl); return err; } -- 2.27.0