The quilt patch titled Subject: mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails has been removed from the -mm tree. Its filename was mm-userfaultfd-fix-unexpected-change-to-src_folio-when-uffdio_move-fails.patch
This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
------------------------------------------------------ From: Qi Zheng zhengqi.arch@bytedance.com Subject: mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails Date: Thu, 22 Feb 2024 16:08:15 +0800
After ptep_clear_flush(), if we find that src_folio is pinned we will fail UFFDIO_MOVE and put src_folio back to src_pte entry, but the change to src_folio->{mapping,index} is not restored in this process. This is not what we expected, so fix it.
This can cause the rmap for that page to be invalid, possibly resulting in memory corruption. At least swapout+migration would no longer work, because we might fail to locate the mappings of that folio.
Link: https://lkml.kernel.org/r/20240222080815.46291-1-zhengqi.arch@bytedance.com Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Signed-off-by: Qi Zheng zhengqi.arch@bytedance.com Reviewed-by: David Hildenbrand david@redhat.com Reviewed-by: Suren Baghdasaryan surenb@google.com Cc: Andrea Arcangeli aarcange@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---
mm/userfaultfd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/mm/userfaultfd.c~mm-userfaultfd-fix-unexpected-change-to-src_folio-when-uffdio_move-fails +++ a/mm/userfaultfd.c @@ -914,9 +914,6 @@ static int move_present_pte(struct mm_st goto out; }
- folio_move_anon_rmap(src_folio, dst_vma); - WRITE_ONCE(src_folio->index, linear_page_index(dst_vma, dst_addr)); - orig_src_pte = ptep_clear_flush(src_vma, src_addr, src_pte); /* Folio got pinned from under us. Put it back and fail the move. */ if (folio_maybe_dma_pinned(src_folio)) { @@ -925,6 +922,9 @@ static int move_present_pte(struct mm_st goto out; }
+ folio_move_anon_rmap(src_folio, dst_vma); + WRITE_ONCE(src_folio->index, linear_page_index(dst_vma, dst_addr)); + orig_dst_pte = mk_pte(&src_folio->page, dst_vma->vm_page_prot); /* Follow mremap() behavior and treat the entry dirty after the move */ orig_dst_pte = pte_mkwrite(pte_mkdirty(orig_dst_pte), dst_vma); _
Patches currently in -mm which might be from zhengqi.arch@bytedance.com are
mm-pgtable-correct-the-wrong-comment-about-ptdesc-__page_flags.patch mm-pgtable-add-missing-pt_index-to-struct-ptdesc.patch s390-supplement-for-ptdesc-conversion.patch