From 3652e88a874b32932a0fd1395320051d2ca23cc5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 23 Apr 2024 11:01:29 -0700 Subject: 6.8-stable patches added patches: userfaultfd-change-src_folio-after-ensuring-it-s-unpinned-in-uffdio_move.patch --- queue-6.8/series | 1 + ...ter-ensuring-it-s-unpinned-in-uffdio_move.patch | 57 ++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 queue-6.8/userfaultfd-change-src_folio-after-ensuring-it-s-unpinned-in-uffdio_move.patch diff --git a/queue-6.8/series b/queue-6.8/series index 27d0569db5..4f2bf462b4 100644 --- a/queue-6.8/series +++ b/queue-6.8/series @@ -63,6 +63,7 @@ iommufd-add-missing-iommufd_driver-kconfig-for-the-s.patch iommufd-add-config-needed-for-iommufd_fail_nth.patch drm-nv04-fix-out-of-bounds-access.patch drm-v3d-don-t-increment-enabled_ns-twice.patch +userfaultfd-change-src_folio-after-ensuring-it-s-unpinned-in-uffdio_move.patch drm-panel-visionox-rm69299-don-t-unregister-dsi-devi.patch drm-radeon-make-fstrict-flex-arrays-3-happy.patch alsa-hda-realtek-fix-volumn-control-of-thinkbook-16p.patch diff --git a/queue-6.8/userfaultfd-change-src_folio-after-ensuring-it-s-unpinned-in-uffdio_move.patch b/queue-6.8/userfaultfd-change-src_folio-after-ensuring-it-s-unpinned-in-uffdio_move.patch new file mode 100644 index 0000000000..846ae47680 --- /dev/null +++ b/queue-6.8/userfaultfd-change-src_folio-after-ensuring-it-s-unpinned-in-uffdio_move.patch @@ -0,0 +1,57 @@ +From c0205eaf3af9f5db14d4b5ee4abacf4a583c3c50 Mon Sep 17 00:00:00 2001 +From: Lokesh Gidra +Date: Thu, 4 Apr 2024 10:17:26 -0700 +Subject: userfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE + +From: Lokesh Gidra + +commit c0205eaf3af9f5db14d4b5ee4abacf4a583c3c50 upstream. + +Commit d7a08838ab74 ("mm: userfaultfd: fix unexpected change to src_folio +when UFFDIO_MOVE fails") moved the src_folio->{mapping, index} changing to +after clearing the page-table and ensuring that it's not pinned. This +avoids failure of swapout+migration and possibly memory corruption. + +However, the commit missed fixing it in the huge-page case. + +Link: https://lkml.kernel.org/r/20240404171726.2302435-1-lokeshgidra@google.com +Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") +Signed-off-by: Lokesh Gidra +Acked-by: David Hildenbrand +Cc: Andrea Arcangeli +Cc: Kalesh Singh +Cc: Lokesh Gidra +Cc: Nicolas Geoffray +Cc: Peter Xu +Cc: Qi Zheng +Cc: Matthew Wilcox +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Lokesh Gidra +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2244,9 +2244,6 @@ int move_pages_huge_pmd(struct mm_struct + goto unlock_ptls; + } + +- folio_move_anon_rmap(src_folio, dst_vma); +- WRITE_ONCE(src_folio->index, linear_page_index(dst_vma, dst_addr)); +- + src_pmdval = pmdp_huge_clear_flush(src_vma, src_addr, src_pmd); + /* Folio got pinned from under us. Put it back and fail the move. */ + if (folio_maybe_dma_pinned(src_folio)) { +@@ -2255,6 +2252,9 @@ int move_pages_huge_pmd(struct mm_struct + goto unlock_ptls; + } + ++ folio_move_anon_rmap(src_folio, dst_vma); ++ WRITE_ONCE(src_folio->index, linear_page_index(dst_vma, dst_addr)); ++ + _dst_pmd = mk_huge_pmd(&src_folio->page, dst_vma->vm_page_prot); + /* Follow mremap() behavior and treat the entry dirty after the move */ + _dst_pmd = pmd_mkwrite(pmd_mkdirty(_dst_pmd), dst_vma); -- cgit 1.2.3-korg