linux/Documentation
Ryan Roberts be0ce3f6ff mm: fix race between __split_huge_pmd_locked() and GUP-fast
commit 3a5a8d343e upstream.

__split_huge_pmd_locked() can be called for a present THP, devmap or
(non-present) migration entry.  It calls pmdp_invalidate() unconditionally
on the pmdp and only determines if it is present or not based on the
returned old pmd.  This is a problem for the migration entry case because
pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a
present pmd.

On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future
call to pmd_present() will return true.  And therefore any lockless
pgtable walker could see the migration entry pmd in this state and start
interpretting the fields as if it were present, leading to BadThings (TM).
GUP-fast appears to be one such lockless pgtable walker.

x86 does not suffer the above problem, but instead pmd_mkinvalid() will
corrupt the offset field of the swap entry within the swap pte.  See link
below for discussion of that problem.

Fix all of this by only calling pmdp_invalidate() for a present pmd.  And
for good measure let's add a warning to all implementations of
pmdp_invalidate[_ad]().  I've manually reviewed all other
pmdp_invalidate[_ad]() call sites and believe all others to be conformant.

This is a theoretical bug found during code review.  I don't have any test
case to trigger it in practice.

Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com
Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/
Fixes: 84c3fc4e9c ("mm: thp: check pmd migration entry in common path")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Cc: Andreas Larsson <andreas@gaisler.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
Cc: Borislav Petkov (AMD) <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sven Schnelle <svens@linux.ibm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-06-16 13:47:40 +02:00
..
ABI block: add a partscan sysfs attribute for disks 2024-05-25 16:22:55 +02:00
accel
accounting
admin-guide cpu: Ignore "mitigations" kernel parameter if CPU_MITIGATIONS=n 2024-06-12 11:11:24 +02:00
arch x86/Kconfig: Remove CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT 2024-04-03 15:28:50 +02:00
block Documentation work keeps chugging along; stuff for 6.6 includes: 2023-08-30 20:05:42 -07:00
bpf Including fixes from netfilter and bpf. 2023-09-07 18:33:07 -07:00
cdrom
core-api workqueue: doc: Fix function and sysfs path errors 2023-10-12 07:27:22 -10:00
cpu-freq
crypto
dev-tools LoongArch changes for v6.6 2023-09-08 12:16:52 -07:00
devicetree dt-bindings: adc: axi-adc: add clocks property 2024-06-12 11:12:36 +02:00
doc-guide
driver-api pwm: Rename pwm_apply_state() to pwm_apply_might_sleep() 2024-06-12 11:12:24 +02:00
fault-injection Documentation: Fix typos 2023-08-18 11:29:03 -06:00
fb Documentation: Fix typos 2023-08-18 11:29:03 -06:00
features LoongArch changes for v6.6 2023-09-08 12:16:52 -07:00
filesystems f2fs: deprecate io_bits 2024-06-12 11:12:29 +02:00
firmware_class
firmware-guide Documentation work keeps chugging along; stuff for 6.6 includes: 2023-08-30 20:05:42 -07:00
fpga
gpu drm: Allow drivers to indicate the damage helpers to ignore damage clips 2024-01-31 16:19:08 -08:00
hid
hwmon Documentation work keeps chugging along; stuff for 6.6 includes: 2023-08-30 20:05:42 -07:00
i2c i2c: i801: Add support for Intel Birch Stream SoC 2023-11-28 17:19:46 +00:00
iio
images
infiniband
input input: docs: pxrc: remove reference to phoenix-sim 2023-08-28 12:43:32 -06:00
isdn
kbuild Documentation: kbuild: explain handling optional dependencies 2023-09-25 16:01:05 +09:00
kernel-hacking
leds
litmus-tests
livepatch Documentation: Fix typos 2023-08-18 11:29:03 -06:00
locking Documentation: Fix typos 2023-08-18 11:29:03 -06:00
maintainer Documentation work keeps chugging along; stuff for 6.6 includes: 2023-08-30 20:05:42 -07:00
mhi
misc-devices
mm mm: fix race between __split_huge_pmd_locked() and GUP-fast 2024-06-16 13:47:40 +02:00
netlabel
netlink netlink: specs: devlink: fix reply command values 2023-10-13 17:27:27 -07:00
networking net: ena: Move XDP code to its new files 2024-04-17 11:19:32 +02:00
nvdimm
nvme
PCI Merge branch 'pci/misc' 2023-08-29 11:03:57 -05:00
pcmcia
peci
power Documentation: Fix typos 2023-08-18 11:29:03 -06:00
powerpc docs: kernel_feat.py: fix potential command injection 2024-01-31 16:18:46 -08:00
process rust: upgrade to Rust 1.73.0 2024-02-16 19:10:43 +01:00
RCU
riscv docs: kernel_feat.py: fix potential command injection 2024-01-31 16:18:46 -08:00
rust docs: rust: update Rust docs output path 2023-10-19 16:39:03 +02:00
scheduler Documentation work keeps chugging along; stuff for 6.6 includes: 2023-08-30 20:05:42 -07:00
scsi SCSI misc on 20230902 2023-09-02 12:02:41 -07:00
security Documentation: Fix typos 2023-08-18 11:29:03 -06:00
sound ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument 2024-02-05 20:14:26 +00:00
sphinx docs: kernel_include.py: Cope with docutils 0.21 2024-05-25 16:22:55 +02:00
sphinx-static
spi Documentation: Fix typos 2023-08-18 11:29:03 -06:00
staging
target
timers
tools rtla: fix a example in rtla-timerlat-hist.rst 2023-09-22 14:44:04 +02:00
trace Documentation: probes: Add a new ret_ip callback parameter 2023-10-17 10:21:45 +09:00
translations docs: kernel_feat.py: fix potential command injection 2024-01-31 16:18:46 -08:00
usb USB / Thunderbolt / PHY driver update for 6.6-rc1 2023-09-01 09:23:34 -07:00
userspace-api media: mc: Expand MUST_CONNECT flag to always require an enabled link 2024-04-03 15:28:17 +02:00
virt ARM: 2023-09-07 13:52:20 -07:00
w1 Documentation: Fix typos 2023-08-18 11:29:03 -06:00
watchdog Documentation: Fix typos 2023-08-18 11:29:03 -06:00
wmi Documentation work keeps chugging along; stuff for 6.6 includes: 2023-08-30 20:05:42 -07:00
.gitignore
atomic_bitops.txt
atomic_t.txt
Changes
CodingStyle
conf.py docs: Restore "smart quotes" for quotes 2024-04-03 15:28:22 +02:00
docutils.conf
dontdiff
index.rst
Kconfig
Makefile
memory-barriers.txt
SubmittingPatches
subsystem-apis.rst