Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp1977079rwe; Fri, 2 Sep 2022 06:53:46 -0700 (PDT) X-Google-Smtp-Source: AA6agR6BjgWIT19zsmgLQEODqkIkKNrfZaUMgnwB/poMJAgoM+NkOYAmxXGemrUu6dYxBh2zJP82 X-Received: by 2002:a63:8143:0:b0:42b:9e2f:548e with SMTP id t64-20020a638143000000b0042b9e2f548emr24908193pgd.548.1662126826077; Fri, 02 Sep 2022 06:53:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662126826; cv=none; d=google.com; s=arc-20160816; b=pcyLg++4vhRsqTYZ7v6ooMA+a8pEY8q3G0qcCf5+bjIWXYEErv4CxmGmecijD5BFCF nDMIC16KbCl4+huyHDyIUfbICzDAZqQTkUWmPRYYmA2xlTEiIRj1ouBC8xbNdUAh9bFL Hn8jCaVYy5w2VslAFyMFlwi6vwqHzGlEgRzsGR0xEMn//FZODdSX+s3PZgMLWWHKs3kF w7Uz1/Khl42zwwnNzWuK1CowgMxyu7a0EH7zN1N9NA/GEbI4Z7QAqjfLpi1ChixJbhGF ilRDvgU717t0fWA/98cxoFpoUfoXSCy4XxEVrgPSe1clXnyKqKHE8dtxJBWAwwVRLs4r SvvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OxX3GD9CmiZCCFXuQxy9+Yhfgl42FLLGuaHK7jvNuR4=; b=eUYd1CxE1YmOP3Si9s7CLrSZf2xBZySw1ooia4D/Rv7R9ygvCkHXbavyyOS7tZ0bdx KzSy7XKZgbz8xXZljBnxBshpCTKRtX4tqcrFPKIkWJQ14D4q6A/Z/3T7398kE8QfvXg8 O6JkD7e6E6QhAa5cq1ohAy/lF6cdMYOkm60WwRkQYNIbEU52gaEufz+WGDdxKjivBt+3 wMTRcQ1QhoBZAwmEetiLUgG1yiPlyRJJK9+DfI01bRoHbsu+9q778Gm69JlyUDWtAuTG arpn618vBLKxtn3CFPJ+mhN8SkmlW5v60mLW03+jnI7OTyx/2feaWmDAPBL/CzwliPdf mtSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EyYdkMPw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i1-20020aa78d81000000b00535c451053esi2179426pfr.296.2022.09.02.06.53.34; Fri, 02 Sep 2022 06:53:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EyYdkMPw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236511AbiIBM32 (ORCPT + 99 others); Fri, 2 Sep 2022 08:29:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236497AbiIBM1z (ORCPT ); Fri, 2 Sep 2022 08:27:55 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59E25D99CB; Fri, 2 Sep 2022 05:24:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 66067620FE; Fri, 2 Sep 2022 12:22:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6AA48C4347C; Fri, 2 Sep 2022 12:22:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1662121366; bh=CaPcejMvq5lnvRq2Ub3CTht8iOus3RIxbKRjKmiWj2s=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EyYdkMPw1MfZi0vPQJlzg7jN53DXNBwGHZbYAqt8drmI2AYcR8A712LIArKSAYEEL 99oSToi13QFTxMR88cZeZV94yBd+LXeSH8mXzFSh6J4VorcAiDzS9d48x1v3bAAoRx ieJ6hsu2U2QV/GIW++yy6SOhCYxfI42cokXxXtyU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , Jann Horn Subject: [PATCH 4.14 26/42] mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() Date: Fri, 2 Sep 2022 14:18:50 +0200 Message-Id: <20220902121359.707993240@linuxfoundation.org> X-Mailer: git-send-email 2.37.3 In-Reply-To: <20220902121358.773776406@linuxfoundation.org> References: <20220902121358.773776406@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jann Horn commit b67fbebd4cf980aecbcc750e1462128bffe8ae15 upstream. Some drivers rely on having all VMAs through which a PFN might be accessible listed in the rmap for correctness. However, on X86, it was possible for a VMA with stale TLB entries to not be listed in the rmap. This was fixed in mainline with commit b67fbebd4cf9 ("mmu_gather: Force tlb-flush VM_PFNMAP vmas"), but that commit relies on preceding refactoring in commit 18ba064e42df3 ("mmu_gather: Let there be one tlb_{start,end}_vma() implementation") and commit 1e9fdf21a4339 ("mmu_gather: Remove per arch tlb_{start,end}_vma()"). This patch provides equivalent protection without needing that refactoring, by forcing a TLB flush between removing PTEs in unmap_vmas() and the call to unlink_file_vma() in free_pgtables(). [This is a stable-specific rewrite of the upstream commit!] Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman --- mm/mmap.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2529,6 +2529,18 @@ static void unmap_region(struct mm_struc tlb_gather_mmu(&tlb, mm, start, end); update_hiwater_rss(mm); unmap_vmas(&tlb, vma, start, end); + + /* + * Ensure we have no stale TLB entries by the time this mapping is + * removed from the rmap. + * Note that we don't have to worry about nested flushes here because + * we're holding the mm semaphore for removing the mapping - so any + * concurrent flush in this region has to be coming through the rmap, + * and we synchronize against that using the rmap lock. + */ + if ((vma->vm_flags & (VM_PFNMAP|VM_MIXEDMAP)) != 0) + tlb_flush_mmu(&tlb); + free_pgtables(&tlb, vma, prev ? prev->vm_end : FIRST_USER_ADDRESS, next ? next->vm_start : USER_PGTABLES_CEILING); tlb_finish_mmu(&tlb, start, end);