August 2020 - Linux-stable-mirror

[merged] khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() has been removed from the -mm tree. Its filename was khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Hugh Dickins <hughd(a)google.com> Subject: khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() syzbot crashes on the VM_BUG_ON_MM(khugepaged_test_exit(mm), mm) in __khugepaged_enter(): yes, when one thread is about to dump core, has set core_state, and is waiting for others, another might do something calling __khugepaged_enter(), which now crashes because I lumped the core_state test (known as "mmget_still_valid") into khugepaged_test_exit(). I still think it's best to lump them together, so just in this exceptional case, check mm->mm_users directly instead of khugepaged_test_exit(). Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008141503370.18085@eggly.anvils Fixes: bbe98f9cadff ("khugepaged: khugepaged_test_exit() check mmget_still_valid()") Signed-off-by: Hugh Dickins <hughd(a)google.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Acked-by: Yang Shi <shy828301(a)gmail.com> Cc: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Song Liu <songliubraving(a)fb.com> Cc: Mike Kravetz <mike.kravetz(a)oracle.com> Cc: Eric Dumazet <edumazet(a)google.com> Cc: <stable(a)vger.kernel.org> [4.8+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/khugepaged.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/khugepaged.c~khugepaged-adjust-vm_bug_on_mm-in-__khugepaged_enter +++ a/mm/khugepaged.c @@ -466,7 +466,7 @@ int __khugepaged_enter(struct mm_struct return -ENOMEM; /* __khugepaged_exit() must not run from under us */ - VM_BUG_ON_MM(khugepaged_test_exit(mm), mm); + VM_BUG_ON_MM(atomic_read(&mm->mm_users) == 0, mm); if (unlikely(test_and_set_bit(MMF_VM_HUGEPAGE, &mm->flags))) { free_mm_slot(mm_slot); return 0; _ Patches currently in -mm which might be from hughd(a)google.com are

4 years, 4 months

1
0
0 0

[tip: efi/urgent] efi/x86: Mark kernel rodata non-executable for mixed mode

by tip-bot2 for Arvind Sankar

The following commit has been merged into the efi/urgent branch of tip: Commit-ID: c8502eb2d43b6b9b1dc382299a4d37031be63876 Gitweb: https://git.kernel.org/tip/c8502eb2d43b6b9b1dc382299a4d37031be63876 Author: Arvind Sankar <nivedita(a)alum.mit.edu> AuthorDate: Fri, 17 Jul 2020 15:45:26 -04:00 Committer: Ard Biesheuvel <ardb(a)kernel.org> CommitterDate: Thu, 20 Aug 2020 11:18:36 +02:00 efi/x86: Mark kernel rodata non-executable for mixed mode When remapping the kernel rodata section RO in the EFI pagetables, the protection flags that were used for the text section are being reused, but the rodata section should not be marked executable. Cc: <stable(a)vger.kernel.org> Signed-off-by: Arvind Sankar <nivedita(a)alum.mit.edu> Link: https://lore.kernel.org/r/20200717194526.3452089-1-nivedita@alum.mit.edu Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- arch/x86/platform/efi/efi_64.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c index 413583f..6af4da1 100644 --- a/arch/x86/platform/efi/efi_64.c +++ b/arch/x86/platform/efi/efi_64.c @@ -259,6 +259,8 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages) npages = (__end_rodata - __start_rodata) >> PAGE_SHIFT; rodata = __pa(__start_rodata); pfn = rodata >> PAGE_SHIFT; + + pf = _PAGE_NX | _PAGE_ENC; if (kernel_map_pages_in_pgd(pgd, pfn, rodata, npages, pf)) { pr_err("Failed to map kernel rodata 1:1\n"); return 1;

4 years, 4 months

1
0
0 0

[tip: efi/urgent] efi: add missed destroy_workqueue when efisubsys_init fails

by tip-bot2 for Li Heng

The following commit has been merged into the efi/urgent branch of tip: Commit-ID: 98086df8b70c06234a8f4290c46064e44dafa0ed Gitweb: https://git.kernel.org/tip/98086df8b70c06234a8f4290c46064e44dafa0ed Author: Li Heng <liheng40(a)huawei.com> AuthorDate: Mon, 20 Jul 2020 15:22:18 +08:00 Committer: Ard Biesheuvel <ardb(a)kernel.org> CommitterDate: Thu, 20 Aug 2020 11:18:45 +02:00 efi: add missed destroy_workqueue when efisubsys_init fails destroy_workqueue() should be called to destroy efi_rts_wq when efisubsys_init() init resources fails. Cc: <stable(a)vger.kernel.org> Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Li Heng <liheng40(a)huawei.com> Link: https://lore.kernel.org/r/1595229738-10087-1-git-send-email-liheng40@huawei… Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/efi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index fdd1db0..3aa07c3 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -381,6 +381,7 @@ static int __init efisubsys_init(void) efi_kobj = kobject_create_and_add("efi", firmware_kobj); if (!efi_kobj) { pr_err("efi: Firmware registration failed.\n"); + destroy_workqueue(efi_rts_wq); return -ENOMEM; } @@ -424,6 +425,7 @@ err_unregister: generic_ops_unregister(); err_put: kobject_put(efi_kobj); + destroy_workqueue(efi_rts_wq); return error; }

4 years, 4 months

1
0
0 0

[tip: efi/urgent] efi/libstub: Stop parsing arguments at "--"

by tip-bot2 for Arvind Sankar

The following commit has been merged into the efi/urgent branch of tip: Commit-ID: 1fd9717d75df68e3c3509b8e7b1138ca63472f88 Gitweb: https://git.kernel.org/tip/1fd9717d75df68e3c3509b8e7b1138ca63472f88 Author: Arvind Sankar <nivedita(a)alum.mit.edu> AuthorDate: Sat, 25 Jul 2020 11:59:16 -04:00 Committer: Ard Biesheuvel <ardb(a)kernel.org> CommitterDate: Thu, 20 Aug 2020 11:18:52 +02:00 efi/libstub: Stop parsing arguments at "--" Arguments after "--" are arguments for init, not for the kernel. Cc: <stable(a)vger.kernel.org> Signed-off-by: Arvind Sankar <nivedita(a)alum.mit.edu> Link: https://lore.kernel.org/r/20200725155916.1376773-1-nivedita@alum.mit.edu Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/libstub/efi-stub-helper.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index 6bca70b..37ff34e 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -201,6 +201,8 @@ efi_status_t efi_parse_options(char const *cmdline) char *param, *val; str = next_arg(str, &param, &val); + if (!val && !strcmp(param, "--")) + break; if (!strcmp(param, "nokaslr")) { efi_nokaslr = true;

4 years, 4 months

1
0
0 0

[tip: efi/urgent] efi/libstub: Handle NULL cmdline

by tip-bot2 for Arvind Sankar

The following commit has been merged into the efi/urgent branch of tip: Commit-ID: a37ca6a2af9df2972372b918f09390c9303acfbd Gitweb: https://git.kernel.org/tip/a37ca6a2af9df2972372b918f09390c9303acfbd Author: Arvind Sankar <nivedita(a)alum.mit.edu> AuthorDate: Wed, 29 Jul 2020 15:33:00 -04:00 Committer: Ard Biesheuvel <ardb(a)kernel.org> CommitterDate: Thu, 20 Aug 2020 11:18:55 +02:00 efi/libstub: Handle NULL cmdline Treat a NULL cmdline the same as empty. Although this is unlikely to happen in practice, the x86 kernel entry does check for NULL cmdline and handles it, so do it here as well. Cc: <stable(a)vger.kernel.org> Signed-off-by: Arvind Sankar <nivedita(a)alum.mit.edu> Link: https://lore.kernel.org/r/20200729193300.598448-1-nivedita@alum.mit.edu Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/libstub/efi-stub-helper.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index 37ff34e..f53652a 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -187,10 +187,14 @@ int efi_printk(const char *fmt, ...) */ efi_status_t efi_parse_options(char const *cmdline) { - size_t len = strlen(cmdline) + 1; + size_t len; efi_status_t status; char *str, *buf; + if (!cmdline) + return EFI_SUCCESS; + + len = strlen(cmdline) + 1; status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, len, (void **)&buf); if (status != EFI_SUCCESS) return status;

4 years, 4 months

1
0
0 0

[tip: efi/urgent] efi/libstub: Handle unterminated cmdline

by tip-bot2 for Arvind Sankar

The following commit has been merged into the efi/urgent branch of tip: Commit-ID: 8a8a3237a78cbc0557f0eb16a89f16d616323e99 Gitweb: https://git.kernel.org/tip/8a8a3237a78cbc0557f0eb16a89f16d616323e99 Author: Arvind Sankar <nivedita(a)alum.mit.edu> AuthorDate: Thu, 13 Aug 2020 14:58:11 -04:00 Committer: Ard Biesheuvel <ardb(a)kernel.org> CommitterDate: Thu, 20 Aug 2020 11:18:58 +02:00 efi/libstub: Handle unterminated cmdline Make the command line parsing more robust, by handling the case it is not NUL-terminated. Use strnlen instead of strlen, and make sure that the temporary copy is NUL-terminated before parsing. Cc: <stable(a)vger.kernel.org> Signed-off-by: Arvind Sankar <nivedita(a)alum.mit.edu> Link: https://lore.kernel.org/r/20200813185811.554051-4-nivedita@alum.mit.edu Signed-off-by: Ard Biesheuvel <ardb(a)kernel.org> --- drivers/firmware/efi/libstub/efi-stub-helper.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index f53652a..f735db5 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -194,12 +194,14 @@ efi_status_t efi_parse_options(char const *cmdline) if (!cmdline) return EFI_SUCCESS; - len = strlen(cmdline) + 1; + len = strnlen(cmdline, COMMAND_LINE_SIZE - 1) + 1; status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, len, (void **)&buf); if (status != EFI_SUCCESS) return status; - str = skip_spaces(memcpy(buf, cmdline, len)); + memcpy(buf, cmdline, len - 1); + buf[len - 1] = '\0'; + str = skip_spaces(buf); while (*str) { char *param, *val;

4 years, 4 months

1
0
0 0

+ mm-track-page-table-modifications-in-__apply_to_page_range.patch added to -mm tree

by Andrew Morton

The patch titled Subject: mm: track page table modifications in __apply_to_page_range() has been added to the -mm tree. Its filename is mm-track-page-table-modifications-in-__apply_to_page_range.patch This patch should soon appear at https://ozlabs.org/~akpm/mmots/broken-out/mm-track-page-table-modifications… and later at https://ozlabs.org/~akpm/mmotm/broken-out/mm-track-page-table-modifications… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Joerg Roedel <jroedel(a)suse.de> Subject: mm: track page table modifications in __apply_to_page_range() __apply_to_page_range() is also used to change and/or allocate page-table pages in the vmalloc area of the address space. Make sure these changes get synchronized to other page-tables in the system by calling arch_sync_kernel_mappings() when necessary. The impact appears limited to x86-32, where apply_to_page_range may miss updating the PMD. That leads to explosions in drivers like [ 24.227844] BUG: unable to handle page fault for address: fe036000 [ 24.228076] #PF: supervisor write access in kernel mode [ 24.228294] #PF: error_code(0x0002) - not-present page [ 24.228494] *pde = 00000000 [ 24.228640] Oops: 0002 [#1] SMP [ 24.228788] CPU: 3 PID: 1300 Comm: gem_concurrent_ Not tainted 5.9.0-rc1+ #16 [ 24.228957] Hardware name: /NUC6i3SYB, BIOS SYSKLi35.86A.0024.2015.1027.2142 10/27/2015 [ 24.229297] EIP: __execlists_context_alloc+0x132/0x2d0 [i915] [ 24.229462] Code: 31 d2 89 f0 e8 2f 55 02 00 89 45 e8 3d 00 f0 ff ff 0f 87 11 01 00 00 8b 4d e8 03 4b 30 b8 5a 5a 5a 5a ba 01 00 00 00 8d 79 04 <c7> 01 5a 5a 5a 5a c7 81 fc 0f 00 00 5a 5a 5a 5a 83 e7 fc 29 f9 81 [ 24.229759] EAX: 5a5a5a5a EBX: f60ca000 ECX: fe036000 EDX: 00000001 [ 24.229915] ESI: f43b7340 EDI: fe036004 EBP: f6389cb8 ESP: f6389c9c [ 24.230072] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010286 [ 24.230229] CR0: 80050033 CR2: fe036000 CR3: 2d361000 CR4: 001506d0 [ 24.230385] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 24.230539] DR6: fffe0ff0 DR7: 00000400 [ 24.230675] Call Trace: [ 24.230957] execlists_context_alloc+0x10/0x20 [i915] [ 24.231266] intel_context_alloc_state+0x3f/0x70 [i915] [ 24.231547] __intel_context_do_pin+0x117/0x170 [i915] [ 24.231850] i915_gem_do_execbuffer+0xcc7/0x2500 [i915] [ 24.232024] ? __kmalloc_track_caller+0x54/0x230 [ 24.232181] ? ktime_get+0x3e/0x120 [ 24.232333] ? dma_fence_signal+0x34/0x50 [ 24.232617] i915_gem_execbuffer2_ioctl+0xcd/0x1f0 [i915] [ 24.232912] ? i915_gem_execbuffer_ioctl+0x2e0/0x2e0 [i915] [ 24.233084] drm_ioctl_kernel+0x8f/0xd0 [ 24.233236] drm_ioctl+0x223/0x3d0 [ 24.233505] ? i915_gem_execbuffer_ioctl+0x2e0/0x2e0 [i915] [ 24.233684] ? pick_next_task_fair+0x1b5/0x3d0 [ 24.233873] ? __switch_to_asm+0x36/0x50 [ 24.234021] ? drm_ioctl_kernel+0xd0/0xd0 [ 24.234167] __ia32_sys_ioctl+0x1ab/0x760 [ 24.234313] ? exit_to_user_mode_prepare+0xe5/0x110 [ 24.234453] ? syscall_exit_to_user_mode+0x23/0x130 [ 24.234601] __do_fast_syscall_32+0x3f/0x70 [ 24.234744] do_fast_syscall_32+0x29/0x60 [ 24.234885] do_SYSENTER_32+0x15/0x20 [ 24.235021] entry_SYSENTER_32+0x9f/0xf2 [ 24.235157] EIP: 0xb7f28559 [ 24.235288] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76 [ 24.235576] EAX: ffffffda EBX: 00000005 ECX: c0406469 EDX: bf95556c [ 24.235722] ESI: b7e68000 EDI: c0406469 EBP: 00000005 ESP: bf9554d8 [ 24.235869] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296 [ 24.236018] Modules linked in: i915 x86_pkg_temp_thermal intel_powerclamp crc32_pclmul crc32c_intel intel_cstate intel_uncore intel_gtt drm_kms_helper intel_pch_thermal video button autofs4 i2c_i801 i2c_smbus fan [ 24.236336] CR2: 00000000fe036000 It looks like kasan, xen and i915 are vulnerable. Actual impact is "on thinkpad X60 in 5.9-rc1, screen starts blinking after 30-or-so minutes, and machine is unusable" [chris(a)chris-wilson.co.uk: changelog addition] [pavel(a)ucw.cz: changelog addition] Link: https://lkml.kernel.org/r/20200821123746.16904-1-joro@8bytes.org Signed-off-by: Joerg Roedel <jroedel(a)suse.de> Tested-by: Chris Wilson <chris(a)chris-wilson.co.uk> [x86-32] Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Pavel Machek <pavel(a)ucw.cz> Cc: <stable(a)vger.kernel.org> [5.8+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory.c | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) --- a/mm/memory.c~mm-track-page-table-modifications-in-__apply_to_page_range +++ a/mm/memory.c @@ -83,6 +83,7 @@ #include <asm/tlb.h> #include <asm/tlbflush.h> +#include "pgalloc-track.h" #include "internal.h" #if defined(LAST_CPUPID_NOT_IN_PAGE_FLAGS) && !defined(CONFIG_COMPILE_TEST) @@ -2206,7 +2207,8 @@ EXPORT_SYMBOL(vm_iomap_memory); static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd, unsigned long addr, unsigned long end, - pte_fn_t fn, void *data, bool create) + pte_fn_t fn, void *data, bool create, + pgtbl_mod_mask *mask) { pte_t *pte; int err = 0; @@ -2214,7 +2216,7 @@ static int apply_to_pte_range(struct mm_ if (create) { pte = (mm == &init_mm) ? - pte_alloc_kernel(pmd, addr) : + pte_alloc_kernel_track(pmd, addr, mask) : pte_alloc_map_lock(mm, pmd, addr, &ptl); if (!pte) return -ENOMEM; @@ -2235,6 +2237,7 @@ static int apply_to_pte_range(struct mm_ break; } } while (addr += PAGE_SIZE, addr != end); + *mask |= PGTBL_PTE_MODIFIED; arch_leave_lazy_mmu_mode(); @@ -2245,7 +2248,8 @@ static int apply_to_pte_range(struct mm_ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud, unsigned long addr, unsigned long end, - pte_fn_t fn, void *data, bool create) + pte_fn_t fn, void *data, bool create, + pgtbl_mod_mask *mask) { pmd_t *pmd; unsigned long next; @@ -2254,7 +2258,7 @@ static int apply_to_pmd_range(struct mm_ BUG_ON(pud_huge(*pud)); if (create) { - pmd = pmd_alloc(mm, pud, addr); + pmd = pmd_alloc_track(mm, pud, addr, mask); if (!pmd) return -ENOMEM; } else { @@ -2264,7 +2268,7 @@ static int apply_to_pmd_range(struct mm_ next = pmd_addr_end(addr, end); if (create || !pmd_none_or_clear_bad(pmd)) { err = apply_to_pte_range(mm, pmd, addr, next, fn, data, - create); + create, mask); if (err) break; } @@ -2274,14 +2278,15 @@ static int apply_to_pmd_range(struct mm_ static int apply_to_pud_range(struct mm_struct *mm, p4d_t *p4d, unsigned long addr, unsigned long end, - pte_fn_t fn, void *data, bool create) + pte_fn_t fn, void *data, bool create, + pgtbl_mod_mask *mask) { pud_t *pud; unsigned long next; int err = 0; if (create) { - pud = pud_alloc(mm, p4d, addr); + pud = pud_alloc_track(mm, p4d, addr, mask); if (!pud) return -ENOMEM; } else { @@ -2291,7 +2296,7 @@ static int apply_to_pud_range(struct mm_ next = pud_addr_end(addr, end); if (create || !pud_none_or_clear_bad(pud)) { err = apply_to_pmd_range(mm, pud, addr, next, fn, data, - create); + create, mask); if (err) break; } @@ -2301,14 +2306,15 @@ static int apply_to_pud_range(struct mm_ static int apply_to_p4d_range(struct mm_struct *mm, pgd_t *pgd, unsigned long addr, unsigned long end, - pte_fn_t fn, void *data, bool create) + pte_fn_t fn, void *data, bool create, + pgtbl_mod_mask *mask) { p4d_t *p4d; unsigned long next; int err = 0; if (create) { - p4d = p4d_alloc(mm, pgd, addr); + p4d = p4d_alloc_track(mm, pgd, addr, mask); if (!p4d) return -ENOMEM; } else { @@ -2318,7 +2324,7 @@ static int apply_to_p4d_range(struct mm_ next = p4d_addr_end(addr, end); if (create || !p4d_none_or_clear_bad(p4d)) { err = apply_to_pud_range(mm, p4d, addr, next, fn, data, - create); + create, mask); if (err) break; } @@ -2331,8 +2337,9 @@ static int __apply_to_page_range(struct void *data, bool create) { pgd_t *pgd; - unsigned long next; + unsigned long start = addr, next; unsigned long end = addr + size; + pgtbl_mod_mask mask = 0; int err = 0; if (WARN_ON(addr >= end)) @@ -2343,11 +2350,14 @@ static int __apply_to_page_range(struct next = pgd_addr_end(addr, end); if (!create && pgd_none_or_clear_bad(pgd)) continue; - err = apply_to_p4d_range(mm, pgd, addr, next, fn, data, create); + err = apply_to_p4d_range(mm, pgd, addr, next, fn, data, create, &mask); if (err) break; } while (pgd++, addr = next, addr != end); + if (mask & ARCH_PAGE_TABLE_SYNC_MASK) + arch_sync_kernel_mappings(start, start + size); + return err; } _ Patches currently in -mm which might be from jroedel(a)suse.de are mm-track-page-table-modifications-in-__apply_to_page_range.patch

4 years, 4 months

1
0
0 0

+ mm-madvise-fix-vma-user-after-free.patch added to -mm tree

by Andrew Morton

The patch titled Subject: mm: madvise: fix vma user-after-free has been added to the -mm tree. Its filename is mm-madvise-fix-vma-user-after-free.patch This patch should soon appear at https://ozlabs.org/~akpm/mmots/broken-out/mm-madvise-fix-vma-user-after-fre… and later at https://ozlabs.org/~akpm/mmotm/broken-out/mm-madvise-fix-vma-user-after-fre… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Yang Shi <shy828301(a)gmail.com> Subject: mm: madvise: fix vma user-after-free The syzbot reported the below use-after-free: BUG: KASAN: use-after-free in madvise_willneed mm/madvise.c:293 [inline] BUG: KASAN: use-after-free in madvise_vma mm/madvise.c:942 [inline] BUG: KASAN: use-after-free in do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145 Read of size 8 at addr ffff8880a6163eb0 by task syz-executor.0/9996 CPU: 0 PID: 9996 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 madvise_willneed mm/madvise.c:293 [inline] madvise_vma mm/madvise.c:942 [inline] do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145 do_madvise mm/madvise.c:1169 [inline] __do_sys_madvise mm/madvise.c:1171 [inline] __se_sys_madvise mm/madvise.c:1169 [inline] __x64_sys_madvise+0xd9/0x110 mm/madvise.c:1169 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d4d9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f04f7464c78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c RAX: ffffffffffffffda RBX: 0000000000020800 RCX: 000000000045d4d9 RDX: 0000000000000003 RSI: 0000000000600003 RDI: 0000000020000000 RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec R13: 00007ffc579cce7f R14: 00007f04f74659c0 R15: 000000000118cfec Allocated by task 9992: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:518 [inline] slab_alloc mm/slab.c:3312 [inline] kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482 vm_area_alloc+0x1c/0x110 kernel/fork.c:347 mmap_region+0x8e5/0x1780 mm/mmap.c:1743 do_mmap+0xcf9/0x11d0 mm/mmap.c:1545 vm_mmap_pgoff+0x195/0x200 mm/util.c:506 ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 9992: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693 remove_vma+0x132/0x170 mm/mmap.c:184 remove_vma_list mm/mmap.c:2613 [inline] __do_munmap+0x743/0x1170 mm/mmap.c:2869 do_munmap mm/mmap.c:2877 [inline] mmap_region+0x257/0x1780 mm/mmap.c:1716 do_mmap+0xcf9/0x11d0 mm/mmap.c:1545 vm_mmap_pgoff+0x195/0x200 mm/util.c:506 ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 It is because vma is accessed after releasing mmap_lock, but someone else acquired the mmap_lock and the vma is gone. Releasing mmap_lock after accessing vma should fix the problem. Link: https://lkml.kernel.org/r/20200816141204.162624-1-shy828301@gmail.com Fixes: 692fe62433d4c ("mm: Handle MADV_WILLNEED through vfs_fadvise()") Reported-by: syzbot+b90df26038d1d5d85c97(a)syzkaller.appspotmail.com Signed-off-by: Yang Shi <shy828301(a)gmail.com> Cc: Jan Kara <jack(a)suse.cz> Cc: <stable(a)vger.kernel.org> [5.4+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/madvise.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/madvise.c~mm-madvise-fix-vma-user-after-free +++ a/mm/madvise.c @@ -289,9 +289,9 @@ static long madvise_willneed(struct vm_a */ *prev = NULL; /* tell sys_madvise we drop mmap_lock */ get_file(file); - mmap_read_unlock(current->mm); offset = (loff_t)(start - vma->vm_start) + ((loff_t)vma->vm_pgoff << PAGE_SHIFT); + mmap_read_unlock(current->mm); vfs_fadvise(file, offset, end - start, POSIX_FADV_WILLNEED); fput(file); mmap_read_lock(current->mm); _ Patches currently in -mm which might be from shy828301(a)gmail.com are mm-madvise-fix-vma-user-after-free.patch

4 years, 4 months

1
0
0 0

stable-rc/linux-4.19.y baseline: 169 runs, 2 regressions (v4.19.141)

by kernelci.org bot

stable-rc/linux-4.19.y baseline: 169 runs, 2 regressions (v4.19.141) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | results ----------------------+------+--------------+----------+-----------------+-------- at91-sama5d4_xplained | arm | lab-baylibre | gcc-8 | sama5_defconfig | 0/1 hsdk | arc | lab-baylibre | gcc-8 | hsdk_defconfig | 0/1 Details: https://kernelci.org/test/job/stable-rc/branch/linux-4.19.y/kernel/v4.19.14… Test: baseline Tree: stable-rc Branch: linux-4.19.y Describe: v4.19.141 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: d18b78abc0c6e7d3119367c931c583e02d466495 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | results ----------------------+------+--------------+----------+-----------------+-------- at91-sama5d4_xplained | arm | lab-baylibre | gcc-8 | sama5_defconfig | 0/1 Details: https://kernelci.org/test/plan/id/5f4001a344261025c19fb42d Results: 0 PASS, 1 FAIL, 0 SKIP Full config: sama5_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/linux-4.19.y/v4.19.141/arm/sama5_de… HTML log: https://storage.kernelci.org//stable-rc/linux-4.19.y/v4.19.141/arm/sama5_de… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05/armel/basel… * baseline.login: https://kernelci.org/test/case/id/5f4001a344261025c19fb42e failing since 66 days (last pass: v4.19.126-55-gf6c346f2d42d, first fail: v4.19.126-113-gd694d4388e88) platform | arch | lab | compiler | defconfig | results ----------------------+------+--------------+----------+-----------------+-------- hsdk | arc | lab-baylibre | gcc-8 | hsdk_defconfig | 0/1 Details: https://kernelci.org/test/plan/id/5f3ff9fea1b873344b9fb442 Results: 0 PASS, 1 FAIL, 0 SKIP Full config: hsdk_defconfig Compiler: gcc-8 (arc-elf32-gcc (ARCompact/ARCv2 ISA elf32 toolchain 2019.03-rc1) 8.3.1 20190225) Plain log: https://storage.kernelci.org//stable-rc/linux-4.19.y/v4.19.141/arc/hsdk_def… HTML log: https://storage.kernelci.org//stable-rc/linux-4.19.y/v4.19.141/arc/hsdk_def… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05/arc/baselin… * baseline.login: https://kernelci.org/test/case/id/5f3ff9fea1b873344b9fb443 failing since 32 days (last pass: v4.19.125-93-g80718197a8a3, first fail: v4.19.133-134-g9d319b54cc24)

4 years, 4 months

1
0
0 0

stable-rc/linux-5.7.y baseline: 181 runs, 2 regressions (v5.7.17)

by kernelci.org bot

stable-rc/linux-5.7.y baseline: 181 runs, 2 regressions (v5.7.17) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | results ----------------------+------+---------------+----------+------------------+-------- at91-sama5d4_xplained | arm | lab-baylibre | gcc-8 | sama5_defconfig | 0/1 exynos5422-odroidxu3 | arm | lab-collabora | gcc-8 | exynos_defconfig | 0/1 Details: https://kernelci.org/test/job/stable-rc/branch/linux-5.7.y/kernel/v5.7.17/p… Test: baseline Tree: stable-rc Branch: linux-5.7.y Describe: v5.7.17 URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 3f45898cffc4e386952f3e4821810500adccea1f Test Regressions ---------------- platform | arch | lab | compiler | defconfig | results ----------------------+------+---------------+----------+------------------+-------- at91-sama5d4_xplained | arm | lab-baylibre | gcc-8 | sama5_defconfig | 0/1 Details: https://kernelci.org/test/plan/id/5f400009b8a31725159fb42b Results: 0 PASS, 1 FAIL, 0 SKIP Full config: sama5_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/linux-5.7.y/v5.7.17/arm/sama5_defco… HTML log: https://storage.kernelci.org//stable-rc/linux-5.7.y/v5.7.17/arm/sama5_defco… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05/armel/basel… * baseline.login: https://kernelci.org/test/case/id/5f400009b8a31725159fb42c failing since 36 days (last pass: v5.7.8-167-gc2fb28a4b6e4, first fail: v5.7.9) platform | arch | lab | compiler | defconfig | results ----------------------+------+---------------+----------+------------------+-------- exynos5422-odroidxu3 | arm | lab-collabora | gcc-8 | exynos_defconfig | 0/1 Details: https://kernelci.org/test/plan/id/5f4023c9b8b606d1759fb42b Results: 0 PASS, 1 FAIL, 0 SKIP Full config: exynos_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/linux-5.7.y/v5.7.17/arm/exynos_defc… HTML log: https://storage.kernelci.org//stable-rc/linux-5.7.y/v5.7.17/arm/exynos_defc… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05/armel/basel… * baseline.login: https://kernelci.org/test/case/id/5f4023c9b8b606d1759fb42c failing since 1 day (last pass: v5.7.16-99-gc5aad81e7f2d, first fail: v5.7.16-205-g7366707e7e99)

4 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2020