From: "gregkh@linuxfoundation.org" gregkh@linuxfoundation.org
commit 0e311d237d7f3022b7dafb639b42541bfb42fe94 upstream.
When the P4D page table layer is folded at runtime, the p4d_free() should do nothing, the same as in <asm-generic/pgtable-nop4d.h>.
It seems this bug should cause double-free in efi_call_phys_epilog(), but I don't know how to trigger that code path, so I can't confirm that by testing.
Signed-off-by: Andrey Ryabinin aryabinin@virtuozzo.com Reviewed-by: Kirill A. Shutemov kirill.shutemov@linux.intel.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: stable@vger.kernel.org # 4.17 Fixes: 98219dda2ab5 ("x86/mm: Fold p4d page table layer at runtime") Link: http://lkml.kernel.org/r/20180625102427.15015-1-aryabinin@virtuozzo.com Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Andrey Ryabinin aryabinin@virtuozzo.com --- arch/x86/include/asm/pgalloc.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index 263c142a6a6c..f65e9e1cea4c 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -184,6 +184,9 @@ static inline p4d_t *p4d_alloc_one(struct mm_struct *mm, unsigned long addr)
static inline void p4d_free(struct mm_struct *mm, p4d_t *p4d) { + if (!pgtable_l5_enabled) + return; + BUG_ON((unsigned long)p4d & (PAGE_SIZE-1)); free_page((unsigned long)p4d); }
On Mon, Jul 02, 2018 at 11:45:36AM +0300, Andrey Ryabinin wrote:
From: "gregkh@linuxfoundation.org" gregkh@linuxfoundation.org
Huh? I didn't write this patch.
commit 0e311d237d7f3022b7dafb639b42541bfb42fe94 upstream.
When the P4D page table layer is folded at runtime, the p4d_free() should do nothing, the same as in <asm-generic/pgtable-nop4d.h>.
It seems this bug should cause double-free in efi_call_phys_epilog(), but I don't know how to trigger that code path, so I can't confirm that by testing.
Signed-off-by: Andrey Ryabinin aryabinin@virtuozzo.com Reviewed-by: Kirill A. Shutemov kirill.shutemov@linux.intel.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: stable@vger.kernel.org # 4.17 Fixes: 98219dda2ab5 ("x86/mm: Fold p4d page table layer at runtime") Link: http://lkml.kernel.org/r/20180625102427.15015-1-aryabinin@virtuozzo.com Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Andrey Ryabinin aryabinin@virtuozzo.com
arch/x86/include/asm/pgalloc.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index 263c142a6a6c..f65e9e1cea4c 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -184,6 +184,9 @@ static inline p4d_t *p4d_alloc_one(struct mm_struct *mm, unsigned long addr) static inline void p4d_free(struct mm_struct *mm, p4d_t *p4d) {
- if (!pgtable_l5_enabled)
return;
Did you test build this patch?
Please do so, and be careful about author attribution, again, I did not write this patch.
greg k-h
On 07/02/2018 11:47 AM, Greg KH wrote:
On Mon, Jul 02, 2018 at 11:45:36AM +0300, Andrey Ryabinin wrote:
From: "gregkh@linuxfoundation.org" gregkh@linuxfoundation.org
Huh? I didn't write this patch.
Right, I've noticed this and sent v2 with this fixed. It's because I did 'git am' on your email with backported patch, but missed that git changed the autorship.
commit 0e311d237d7f3022b7dafb639b42541bfb42fe94 upstream.
When the P4D page table layer is folded at runtime, the p4d_free() should do nothing, the same as in <asm-generic/pgtable-nop4d.h>.
It seems this bug should cause double-free in efi_call_phys_epilog(), but I don't know how to trigger that code path, so I can't confirm that by testing.
Signed-off-by: Andrey Ryabinin aryabinin@virtuozzo.com Reviewed-by: Kirill A. Shutemov kirill.shutemov@linux.intel.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: stable@vger.kernel.org # 4.17 Fixes: 98219dda2ab5 ("x86/mm: Fold p4d page table layer at runtime") Link: http://lkml.kernel.org/r/20180625102427.15015-1-aryabinin@virtuozzo.com Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Andrey Ryabinin aryabinin@virtuozzo.com
arch/x86/include/asm/pgalloc.h | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h index 263c142a6a6c..f65e9e1cea4c 100644 --- a/arch/x86/include/asm/pgalloc.h +++ b/arch/x86/include/asm/pgalloc.h @@ -184,6 +184,9 @@ static inline p4d_t *p4d_alloc_one(struct mm_struct *mm, unsigned long addr) static inline void p4d_free(struct mm_struct *mm, p4d_t *p4d) {
- if (!pgtable_l5_enabled)
return;Did you test build this patch?
Sure, successfully built on top of 4.17.3
Please do so, and be careful about author attribution, again, I did not write this patch.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Andrey Ryabinin -
Greg KH