Hi all.
The upstream kernels late than v6.10-rc6 has the patch:
7d79cd784470 udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
That patch stop reproducing syzbot crashes [1], [2]. The reproducer code [3] still crash longterm & stable kernel versions v5.4-v6.6. Here the 7d79cd784470 backports below. Patch v6.6 just cherry-picked, patch for v5.4-v6.1 has minor change described in the patch note.
Regards, AK
[1] https://syzkaller.appspot.com/bug?extid=3d218f7b6c5511a83a79 [2] https://syzkaller.appspot.com/bug?extid=17a207d226b8a5fb0fd9 [3] https://syzkaller.appspot.com/text?tag=ReproC&x=10c0b8c0580000
Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com Reported-by: syzbot+17a207d226b8a5fb0fd9@syzkaller.appspotmail.com
From: Vivek Kasireddy vivek.kasireddy@intel.com
[ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]
Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings would be managed without using struct page.
And, in the vm_fault handler, use vmf_insert_pfn to share the page's pfn to userspace instead of directly sharing the page (via struct page *).
Link: https://lkml.kernel.org/r/20240624063952.1572359-6-vivek.kasireddy@intel.com Signed-off-by: Vivek Kasireddy vivek.kasireddy@intel.com Suggested-by: David Hildenbrand david@redhat.com Acked-by: David Hildenbrand david@redhat.com Acked-by: Dave Airlie airlied@redhat.com Acked-by: Gerd Hoffmann kraxel@redhat.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Cc: Hugh Dickins hughd@google.com Cc: Peter Xu peterx@redhat.com Cc: Jason Gunthorpe jgg@nvidia.com Cc: Dongwon Kim dongwon.kim@intel.com Cc: Junxiao Chang junxiao.chang@intel.com Cc: Arnd Bergmann arnd@arndb.de Cc: Christoph Hellwig hch@infradead.org Cc: Christoph Hellwig hch@lst.de Cc: Matthew Wilcox (Oracle) willy@infradead.org Cc: Mike Kravetz mike.kravetz@oracle.com Cc: Oscar Salvador osalvador@suse.de Cc: Shuah Khan shuah@kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com --- drivers/dma-buf/udmabuf.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index c40645999648..820c993c8659 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -35,12 +35,13 @@ static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf) struct vm_area_struct *vma = vmf->vma; struct udmabuf *ubuf = vma->vm_private_data; pgoff_t pgoff = vmf->pgoff; + unsigned long pfn;
if (pgoff >= ubuf->pagecount) return VM_FAULT_SIGBUS; - vmf->page = ubuf->pages[pgoff]; - get_page(vmf->page); - return 0; + + pfn = page_to_pfn(ubuf->pages[pgoff]); + return vmf_insert_pfn(vma, vmf->address, pfn); }
static const struct vm_operations_struct udmabuf_vm_ops = { @@ -56,6 +57,7 @@ static int mmap_udmabuf(struct dma_buf *buf, struct vm_area_struct *vma)
vma->vm_ops = &udmabuf_vm_ops; vma->vm_private_data = ubuf; + vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP); return 0; }
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 7d79cd784470395539bda91bf0b3505ff5b2ab6d
WARNING: Author mismatch between patch and upstream commit: Backport author: Andrey Kalachev kalachev@swemel.ru Commit author: Vivek Kasireddy vivek.kasireddy@intel.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.11.y | Present (exact SHA1) 6.6.y | Not found
Note: The patch differs from the upstream commit: --- 1: 7d79cd7844703 ! 1: edc6b0308d474 udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap @@ Metadata ## Commit message ## udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
+ [ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ] + Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings would be managed without using struct page.
@@ Commit message Cc: Oscar Salvador osalvador@suse.de Cc: Shuah Khan shuah@kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org + Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com
## drivers/dma-buf/udmabuf.c ## @@ drivers/dma-buf/udmabuf.c: static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf) ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.6.y | Success | Success |
From: Vivek Kasireddy vivek.kasireddy@intel.com
[ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ]
Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings would be managed without using struct page.
And, in the vm_fault handler, use vmf_insert_pfn to share the page's pfn to userspace instead of directly sharing the page (via struct page *).
Link: https://lkml.kernel.org/r/20240624063952.1572359-6-vivek.kasireddy@intel.com Signed-off-by: Vivek Kasireddy vivek.kasireddy@intel.com Suggested-by: David Hildenbrand david@redhat.com Acked-by: David Hildenbrand david@redhat.com Acked-by: Dave Airlie airlied@redhat.com Acked-by: Gerd Hoffmann kraxel@redhat.com Cc: Daniel Vetter daniel.vetter@ffwll.ch Cc: Hugh Dickins hughd@google.com Cc: Peter Xu peterx@redhat.com Cc: Jason Gunthorpe jgg@nvidia.com Cc: Dongwon Kim dongwon.kim@intel.com Cc: Junxiao Chang junxiao.chang@intel.com Cc: Arnd Bergmann arnd@arndb.de Cc: Christoph Hellwig hch@infradead.org Cc: Christoph Hellwig hch@lst.de Cc: Matthew Wilcox (Oracle) willy@infradead.org Cc: Mike Kravetz mike.kravetz@oracle.com Cc: Oscar Salvador osalvador@suse.de Cc: Shuah Khan shuah@kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com [ Andrey: Backport required minor change: replace call to vm_flags_set() in mmap_udmabuf() by direct modification of the vma->vm_flags, because the set of vm_flags_*() functions is not in this versions. ] Signed-off-by: Andrey Kalachev kalachev@swemel.ru --- drivers/dma-buf/udmabuf.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c index 2bcdb935a3ac..e57d57a10bb0 100644 --- a/drivers/dma-buf/udmabuf.c +++ b/drivers/dma-buf/udmabuf.c @@ -33,12 +33,13 @@ static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf) struct vm_area_struct *vma = vmf->vma; struct udmabuf *ubuf = vma->vm_private_data; pgoff_t pgoff = vmf->pgoff; + unsigned long pfn;
if (pgoff >= ubuf->pagecount) return VM_FAULT_SIGBUS; - vmf->page = ubuf->pages[pgoff]; - get_page(vmf->page); - return 0; + + pfn = page_to_pfn(ubuf->pages[pgoff]); + return vmf_insert_pfn(vma, vmf->address, pfn); }
static const struct vm_operations_struct udmabuf_vm_ops = { @@ -54,6 +55,7 @@ static int mmap_udmabuf(struct dma_buf *buf, struct vm_area_struct *vma)
vma->vm_ops = &udmabuf_vm_ops; vma->vm_private_data = ubuf; + vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; return 0; }
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 7d79cd784470395539bda91bf0b3505ff5b2ab6d
WARNING: Author mismatch between patch and upstream commit: Backport author: Andrey Kalachev kalachev@swemel.ru Commit author: Vivek Kasireddy vivek.kasireddy@intel.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.11.y | Present (exact SHA1) 6.6.y | Not found 6.1.y | Not found
Note: The patch differs from the upstream commit: --- 1: 7d79cd7844703 ! 1: 14a0c0b74cf0d udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap @@ Metadata ## Commit message ## udmabuf: use vmf_insert_pfn and VM_PFNMAP for handling mmap
+ [ Upstream commit 7d79cd784470395539bda91bf0b3505ff5b2ab6d ] + Add VM_PFNMAP to vm_flags in the mmap handler to ensure that the mappings would be managed without using struct page.
@@ Commit message Cc: Oscar Salvador osalvador@suse.de Cc: Shuah Khan shuah@kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org + Reported-by: syzbot+3d218f7b6c5511a83a79@syzkaller.appspotmail.com + [ Andrey: Backport required minor change: replace call + to vm_flags_set() in mmap_udmabuf() by direct + modification of the vma->vm_flags, because the set + of vm_flags_*() functions is not in this versions. ] + Signed-off-by: Andrey Kalachev kalachev@swemel.ru
## drivers/dma-buf/udmabuf.c ## @@ drivers/dma-buf/udmabuf.c: static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf) @@ drivers/dma-buf/udmabuf.c: static int mmap_udmabuf(struct dma_buf *buf, struct v
vma->vm_ops = &udmabuf_vm_ops; vma->vm_private_data = ubuf; -+ vm_flags_set(vma, VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP); ++ vma->vm_flags |= VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; return 0; }
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success | | stable/linux-5.4.y | Success | Success |
linux-stable-mirror@lists.linaro.org
-
Andrey Kalachev -
Sasha Levin