From patchwork Wed Feb 26 18:55:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Suren Baghdasaryan X-Patchwork-Id: 13992985 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E110EC021BC for ; Wed, 26 Feb 2025 18:55:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 26AFD280010; Wed, 26 Feb 2025 13:55:21 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 1F19A28000F; Wed, 26 Feb 2025 13:55:21 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 06BD7280010; Wed, 26 Feb 2025 13:55:20 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id CEC1B28000F for ; Wed, 26 Feb 2025 13:55:20 -0500 (EST) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 8B453160647 for ; Wed, 26 Feb 2025 18:55:20 +0000 (UTC) X-FDA: 83162998800.07.1AA30DB Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) by imf23.hostedemail.com (Postfix) with ESMTP id AF826140007 for ; Wed, 26 Feb 2025 18:55:18 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=X5Zy24UH; spf=pass (imf23.hostedemail.com: domain of 3lWO_ZwYKCJ4QSPCL9EMMEJC.AMKJGLSV-KKIT8AI.MPE@flex--surenb.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=3lWO_ZwYKCJ4QSPCL9EMMEJC.AMKJGLSV-KKIT8AI.MPE@flex--surenb.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1740596118; a=rsa-sha256; cv=none; b=ecwaZLkEUkBCMIWzt3V2svovsHmLMJpbid9G9Z1NuY1DqNDxf4HtBIqg9nGmoaO4y222Rj cKHOa6l92TBLf7ScLU+eoSNfKLwUFixGszA6z2rCRAYPXD7yLTNGbgcsu3BQS63azBX2Ei nEjXMvKkI0aQyVJJuqJFdcGMlqWVu2U= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=X5Zy24UH; spf=pass (imf23.hostedemail.com: domain of 3lWO_ZwYKCJ4QSPCL9EMMEJC.AMKJGLSV-KKIT8AI.MPE@flex--surenb.bounces.google.com designates 209.85.216.74 as permitted sender) smtp.mailfrom=3lWO_ZwYKCJ4QSPCL9EMMEJC.AMKJGLSV-KKIT8AI.MPE@flex--surenb.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1740596118; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Qq/w9efOrw1qEDi9Bk8gaY9sQUDKf8Mk4VZDdis8uDc=; b=6w3IxTRPP3fb3rX/HJVosvTs/Dz6KnK9MwcNDE83j7135/YXjhP1bLWJ3Se0BCIp8U0v8z 9V6gMPKcj+ku5LrlgBV9RvwU6vpRaZCr90RqFcZlVe0ol3gca4328VullDYytpLnTJc1Ki plu0I9tZr2V+5qA5IUT3aobeY+TKtsk= Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-2fc1cb0c2cbso444654a91.1 for ; Wed, 26 Feb 2025 10:55:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740596117; x=1741200917; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=Qq/w9efOrw1qEDi9Bk8gaY9sQUDKf8Mk4VZDdis8uDc=; b=X5Zy24UHRzfAhWjxYgq8Cqvyvk0sCfqpbGBbrA1+Q5g9XiU7Pu7vdHEbigxQPzKAvC eEAjuylPph0CRXXG5aJs4a5TDpzDprX5e2PpKRilRpJhSVzw0hyHAG0YHgKXkvP1EfYK NBCoTXMun4mMwABJUDthcHlqtbgbPZscZwpiBs2c/CUQCymWw7SAyslPlVpJu2BOGdXD Y5VhkcJQPzjxTm6LvBT01h9qq+iEMxFVRcbgYgGoM79aeMFO3A6vz384psNjjoYk1dnK f7K2Z+G3gZgqHAHXlB786ttMn/1s3CeGm8wSHsSZkpWtsXHnEMo8DJ179Klmk0em1wxP I5Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740596117; x=1741200917; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Qq/w9efOrw1qEDi9Bk8gaY9sQUDKf8Mk4VZDdis8uDc=; b=GIvr6ia+piBH61w73coAysvNODqCZ43Wl9ebVxRqa6ojVlFoSTNLDALLzJfFXbTvd2 nI0RIEDXk16HGQzWQ6MnANYZ+hTcvlElp1sITjtcrs6pTyJK8srXE3qHK8weLlVbNq5U VfJBjoG2MaPje+bgC83Vp2C7ZqqbpbB/PWMvihoE8WC/45kabCHcjzGpWHZi1wYxSUkE GDfz2s+cobBd0BfPpFz3wY8y1pskZaL52oSDj4rlyGsyL50uLjEfgQOEZt5V+iS/6GX8 pEudkQahzvlobt6vvH9pPkTU2ORxY8jLwRiQ33TVm2CEXK0yIa6fGPRH6v+3f0bLJPHv 2DQQ== X-Forwarded-Encrypted: i=1; AJvYcCVEh98MBjBnZQWV4+JCcHJI+lUZfKytLAPBzIPhY6ns/hAjpPEqMsTFCvNtEzAlfYsAadFhzcicqQ==@kvack.org X-Gm-Message-State: AOJu0YyPVLRdTO8i6V10EoAtoOzGg7FANjC08Txe9OtagB2oWrQW2gBE sgqTc3TuDOBnZZDM53mlU+obLsaTd5HXOguUTisBtIzVaVOFQi1RdqOhLqJ1AgMQfFv+QWm3o4z VIw== X-Google-Smtp-Source: AGHT+IEvcJQuoFon8k2xY5GFl4e5CXCv9wO73DmNtMZqod2CTTLE14+eDEJfscr06yWzvuu3MNI7/Hu/V4g= X-Received: from pjbqb10.prod.google.com ([2002:a17:90b:280a:b0:2e0:915d:d594]) (user=surenb job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:2590:b0:2fa:d95:4501 with SMTP id 98e67ed59e1d1-2fe68ae7111mr15283755a91.18.1740596117509; Wed, 26 Feb 2025 10:55:17 -0800 (PST) Date: Wed, 26 Feb 2025 10:55:09 -0800 In-Reply-To: <20250226185510.2732648-1-surenb@google.com> Mime-Version: 1.0 References: <20250226185510.2732648-1-surenb@google.com> X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: <20250226185510.2732648-3-surenb@google.com> Subject: [PATCH 2/2] userfaultfd: fix PTE unmapping stack-allocated PTE copies From: Suren Baghdasaryan To: akpm@linux-foundation.org Cc: lokeshgidra@google.com, aarcange@redhat.com, 21cnbao@gmail.com, v-songbaohua@oppo.com, david@redhat.com, peterx@redhat.com, willy@infradead.org, Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, hughd@google.com, jannh@google.com, kaleshsingh@google.com, surenb@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org X-Stat-Signature: 6ugibshkksyqbe7n6eh5jgk9ah8m3xbp X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: AF826140007 X-Rspam-User: X-HE-Tag: 1740596118-12548 X-HE-Meta: U2FsdGVkX18FGgu4JfWAZYcuuT6G/CfgAZbBKkHYyMmPIGyd+cQ4EL6V6fYbWqpHvVTwbusYgq+kIsMucBN4dtkx4C6ULrXtqXqgi3a9FGs2EJkKQAPPlX/jEV0N7ZQZCypXUX0krb5dIGVJkgZSv6fK4C4ARM93niCNmHhwEw6886Or2K6ysSCrOFxr8zLnDhFdCfHzLc0lyAcizDBQtINfOdhea2LLuTE9/gNjfGZlWBV0yNemY3CKx1+th2y/+JOiCGJ86kF4aX0HR2sGBFHXIlRLAnBYt664hluDeLKx5ROdz3wKrqeyvEDtIQaM4U9zF1zgAsMZpybLz6RpeYhUDtDjzmKxqehnURpeY8Gh5jopH8JfqbZp4nf/1U6xcAu+Pa9EAaCXmf8kPzqPWFIsObvpiQLCC6YwrWK/xv6wWut0qN0R8yjHSk28rPEzBEuuqo22lY3TS8T0jR1TVwYTLxysGqtx/n5yIEZI8A9CWJvOtj8AOIzGd7eCxwkiFuf8EqimnqI8BDfTKQdtf9F31n0CgFPXhdxlL/4GkA5WDXRIhVedzXrDEquYjmiZI6tkc/fsKFxuPuc64cijNCuiRN4G/o0j5JFWkFVHiMrmcovy4U04bnmqD/gQsObrosCeAVVUyPcXK/broQLEm3mc7LMKaRuV1qnVS4ObBYMQjxlptCfhmYrWGrE1Czr9Sy01jq9FLC1Dibh/3UHyeiyO1k80cy55eQJOnD7VAhAcByDvKXdNVy3sJIs/AbxZMX5+VeFGCnOMuLxNrvvTTge6Xnwd8PBTKSclsxwsXHwRU9G/2HZ4IobQJzuf1mbYZHlFdK6tnX9GkXy22eW7lLwSG79uBkeV6eTKCsfkwrytC+XhmHjNii3EeGNsdShsVfDe8oyB/lvV/0eg1l4G2jMUPp2NWTV29L3IfXLvpN8Y21RQ/obHBZ/OjMirTIBYwUmMhwvNW+IQDYj4Yu/ WO8EoHrb Bx4B148PeKNFsJFED7Rjt+c9YcV9UyN7TvXqwoscWpTQe+a4XlaZc6OtfRN4u25bNYM7eam3EuUpusiSp7auc0koqI1J+3mGkM90/L3DX44oEX7kv+oks9z2WoATBrQ0V8ibFcTMVFMC0RJ9VVm2KwQ6MBM2jcEBTXzdACrU8lESBqldJJfvSLTDuJOi96jet4z/MUxDvvDoI1DbSde4IvFbmvJaJydb0CIWvzzgvanbv2ZK6m2zsqtLSdV/zLj5AqGht9wXQoUr/xOXIAsndg6O9VoExT0PqLVxhCpDDU/n0vEMLbw75vnSNehvHM+VG+4GvVhWdWiwjnuCw0wNblpopWWTNga6NT0979zbj18IyoUHb71RZlZK8YXI9xLBweVdaQdcx7qjerYM/cRJkq7AmSL4CrE79P6oT7d8GjdFck4JrinDj799RC1qcaB73hiiTVcSHPZL0ipNjO1CPSzL9GWGEL91Bl863/W74E01j337eMnoA4Pxa9A79izSWNchMxFqIwcASUVwoezgHFVVsnEAAuhhSlATVm752WZUoEraBwZQe4KixfBS9V62bo0h0VkHOyUMXgb4Z02hxKtii/g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000005, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Current implementation of move_pages_pte() copies source and destination PTEs in order to detect concurrent changes to PTEs involved in the move. However these copies are also used to unmap the PTEs, which will fail if CONFIG_HIGHPTE is enabled because the copies are allocated on the stack. Fix this by using the actual PTEs which were kmap()ed. Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") Reported-by: Peter Xu Signed-off-by: Suren Baghdasaryan Cc: stable@vger.kernel.org Reviewed-by: Peter Xu --- mm/userfaultfd.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index e0f1e38ac5d8..dda1c9a3662a 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -1290,8 +1290,8 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, spin_unlock(src_ptl); if (!locked) { - pte_unmap(&orig_src_pte); - pte_unmap(&orig_dst_pte); + pte_unmap(src_pte); + pte_unmap(dst_pte); src_pte = dst_pte = NULL; /* now we can block and wait */ folio_lock(src_folio); @@ -1307,8 +1307,8 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, /* at this point we have src_folio locked */ if (folio_test_large(src_folio)) { /* split_folio() can block */ - pte_unmap(&orig_src_pte); - pte_unmap(&orig_dst_pte); + pte_unmap(src_pte); + pte_unmap(dst_pte); src_pte = dst_pte = NULL; err = split_folio(src_folio); if (err) @@ -1333,8 +1333,8 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, goto out; } if (!anon_vma_trylock_write(src_anon_vma)) { - pte_unmap(&orig_src_pte); - pte_unmap(&orig_dst_pte); + pte_unmap(src_pte); + pte_unmap(dst_pte); src_pte = dst_pte = NULL; /* now we can block and wait */ anon_vma_lock_write(src_anon_vma); @@ -1352,8 +1352,8 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, entry = pte_to_swp_entry(orig_src_pte); if (non_swap_entry(entry)) { if (is_migration_entry(entry)) { - pte_unmap(&orig_src_pte); - pte_unmap(&orig_dst_pte); + pte_unmap(src_pte); + pte_unmap(dst_pte); src_pte = dst_pte = NULL; migration_entry_wait(mm, src_pmd, src_addr); err = -EAGAIN; @@ -1396,8 +1396,8 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd, src_folio = folio; src_folio_pte = orig_src_pte; if (!folio_trylock(src_folio)) { - pte_unmap(&orig_src_pte); - pte_unmap(&orig_dst_pte); + pte_unmap(src_pte); + pte_unmap(dst_pte); src_pte = dst_pte = NULL; /* now we can block and wait */ folio_lock(src_folio);