From patchwork Tue Apr  8 16:07:32 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Gordeev <agordeev@linux.ibm.com>
X-Patchwork-Id: 14043322
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CE672C369A6
	for <linux-mm@archiver.kernel.org>; Tue,  8 Apr 2025 16:07:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 2EE4428000A; Tue,  8 Apr 2025 12:07:42 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 29D4F280008; Tue,  8 Apr 2025 12:07:42 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0781A28000B; Tue,  8 Apr 2025 12:07:42 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com
 [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id DA11B280008
	for <linux-mm@kvack.org>; Tue,  8 Apr 2025 12:07:41 -0400 (EDT)
Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id EF99B595B5
	for <linux-mm@kvack.org>; Tue,  8 Apr 2025 16:07:42 +0000 (UTC)
X-FDA: 83311357164.01.09B3AD8
Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com
 [148.163.156.1])
	by imf09.hostedemail.com (Postfix) with ESMTP id 7CD31140021
	for <linux-mm@kvack.org>; Tue,  8 Apr 2025 16:07:40 +0000 (UTC)
Authentication-Results: imf09.hostedemail.com;
	dkim=pass header.d=ibm.com header.s=pp1 header.b=rNlkWZXj;
	dmarc=pass (policy=none) header.from=ibm.com;
	spf=pass (imf09.hostedemail.com: domain of agordeev@linux.ibm.com designates
 148.163.156.1 as permitted sender) smtp.mailfrom=agordeev@linux.ibm.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1744128460;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=ow6t3aZjTh8zUSYva0I+1eccwoSgmKvfkvuHek+W7BI=;
	b=RM+YL79K9pn+k930OpYFN6K2xo+zuBBs3HShMQtylEqi1RTeBGnilGI7fPpUrzWyvl9vck
	qSt3pCv6ROKipTg7vN6uZhGek/Vv7sPzsGvi/bMyToZwJqfyEkE/mKp0H6UBo1u7ILZW3w
	HygN102PFUJvR49bzUnUHlboHhZrRKg=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1744128460; a=rsa-sha256;
	cv=none;
	b=42H/HXgDCRmsr4TRd1xAB+WH6ambTQ0pxUrnx6BTiBaOkxNqE2RIFpXyobcyzQrDhKhx6Q
	p2ZbGyxaUPLkw5KqD+H9FPOzWoVOVzxyQp88DJ0tRWczP8G0Kpbar5ohK45T8SLB4izQ5Z
	Z5dY+NLakOCQJG2XJLa5hQTQpyDZx9U=
ARC-Authentication-Results: i=1;
	imf09.hostedemail.com;
	dkim=pass header.d=ibm.com header.s=pp1 header.b=rNlkWZXj;
	dmarc=pass (policy=none) header.from=ibm.com;
	spf=pass (imf09.hostedemail.com: domain of agordeev@linux.ibm.com designates
 148.163.156.1 as permitted sender) smtp.mailfrom=agordeev@linux.ibm.com
Received: from pps.filterd (m0360083.ppops.net [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 538E3xau029563;
	Tue, 8 Apr 2025 16:07:36 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc
	:content-transfer-encoding:date:from:in-reply-to:message-id
	:mime-version:references:subject:to; s=pp1; bh=ow6t3aZjTh8zUSYva
	0I+1eccwoSgmKvfkvuHek+W7BI=; b=rNlkWZXjqNmrVA9DfqJ9qTqgEL8tDwB8v
	uW+rRoK5iANBpubG1GKB6moL8Y4rxf1/ciAdNCg7DM56snFXeq6UI27BGzCdiXoL
	Hr2JPBnmHtPqLjuZGH88qIcxX6n6fTG8p4+QuOCg9WyUsQapClXHAaBAz4VCbhjJ
	ChFNmfH4CzkNCe02vZlhygEXR9J7hifdORr/28Gcllu/FuSoK+QDhFbPQ7HoT2l3
	g8Y/Cdw/tx32Fgkpts/Q5SasZwSNURS/WI0A4R0LnPV7CD9LTIe6eJvqHGND+b6c
	aEm6js3u/gkF2v4JxOC8NjZ+BFWMYfs0Eu9JU8hP/snzGwujEHEow==
Received: from pps.reinject (localhost [127.0.0.1])
	by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3cmf-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 08 Apr 2025 16:07:35 +0000 (GMT)
Received: from m0360083.ppops.net (m0360083.ppops.net [127.0.0.1])
	by pps.reinject (8.18.0.8/8.18.0.8) with ESMTP id 538FxwH6004506;
	Tue, 8 Apr 2025 16:07:35 GMT
Received: from ppma11.dal12v.mail.ibm.com
 (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219])
	by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3cmc-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 08 Apr 2025 16:07:35 +0000 (GMT)
Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1])
	by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id
 538E2Kef018870;
	Tue, 8 Apr 2025 16:07:34 GMT
Received: from smtprelay04.fra02v.mail.ibm.com ([9.218.2.228])
	by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uhj2b31s-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Tue, 08 Apr 2025 16:07:34 +0000
Received: from smtpav03.fra02v.mail.ibm.com (smtpav03.fra02v.mail.ibm.com
 [10.20.54.102])
	by smtprelay04.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
 538G7WkZ17170806
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Tue, 8 Apr 2025 16:07:32 GMT
Received: from smtpav03.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id B38A12004D;
	Tue,  8 Apr 2025 16:07:32 +0000 (GMT)
Received: from smtpav03.fra02v.mail.ibm.com (unknown [127.0.0.1])
	by IMSVA (Postfix) with ESMTP id 9DDE720043;
	Tue,  8 Apr 2025 16:07:32 +0000 (GMT)
Received: from tuxmaker.boeblingen.de.ibm.com (unknown [9.152.85.9])
	by smtpav03.fra02v.mail.ibm.com (Postfix) with ESMTPS;
	Tue,  8 Apr 2025 16:07:32 +0000 (GMT)
Received: by tuxmaker.boeblingen.de.ibm.com (Postfix, from userid 55669)
	id 50F3DE171F; Tue, 08 Apr 2025 18:07:32 +0200 (CEST)
From: Alexander Gordeev <agordeev@linux.ibm.com>
To: Andrew Morton <akpm@linux-foundation.org>,
        Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Hugh Dickins <hughd@google.com>, Nicholas Piggin <npiggin@gmail.com>,
        Guenter Roeck <linux@roeck-us.net>, Juergen Gross <jgross@suse.com>,
        Jeremy Fitzhardinge <jeremy@goop.org>, linux-kernel@vger.kernel.org,
        linux-mm@kvack.org, kasan-dev@googlegroups.com,
        sparclinux@vger.kernel.org, xen-devel@lists.xenproject.org,
        linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org,
        stable@vger.kernel.org
Subject: [PATCH v2 3/3] mm: Protect kernel pgtables in apply_to_pte_range()
Date: Tue,  8 Apr 2025 18:07:32 +0200
Message-ID: 
 <ef8f6538b83b7fc3372602f90375348f9b4f3596.1744128123.git.agordeev@linux.ibm.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <cover.1744128123.git.agordeev@linux.ibm.com>
References: <cover.1744128123.git.agordeev@linux.ibm.com>
MIME-Version: 1.0
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: 6gWNv_Bw0XevSqtBIthyoWHVrcn2MvLC
X-Proofpoint-GUID: -fZrXKHJloGCIvDX7whqAyynxCC3jswc
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34
 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 malwarescore=0 phishscore=0
 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0
 clxscore=1015 suspectscore=0 bulkscore=0 mlxlogscore=779 mlxscore=0
 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2502280000 definitions=main-2504080110
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: 7CD31140021
X-Stat-Signature: u6xm1qambktb1ma8ynxgam3uusq91dya
X-Rspam-User: 
X-HE-Tag: 1744128460-820623
X-HE-Meta: 
 U2FsdGVkX19RUnypuuPNo5XmABZag60Jsb0vztrGzDqYX3iWA7wPhGazOHgT+lcIHMUteCJxgh+5gy9fDjCddaXWhKxthH3U3xMX7/O+4IDBZMtFbVLSZhD6QT9A4VLQU9+fH0YuKCmD+FMhbNWXc+HPBMfNhK9eeMx8RN5aLEPsvD8xQFWK8mKbGjSrWy9ZRJGcP8qNeq844QGK3VQCqesZglJ7FNY+ddRTfXhJ9WcobSqolQVrdcULB75vT35scumbwYcw0cDffHj56pI7FZ1wlmJta25DfdeKZ6LH2WEhSr+n87vgKAXpD6OhwGdwB0RGBJ8gW8ASjLvfCU3PlURecb+zCqTsyZjB1iKpWQL73KAuA/wSn6IQRfzRYEz3snILxkJtWXgyuEFyjwUyeZPTCeT+slOQZ2f8ud5bfm0bgM21fTg/EPemSHYA4jXQZnF8PLBkFvHMCI4kkDZLinRn2LTWXtqN0OSrJ71DJWp0ICGZgMtnYh//woNFyeTSIOPflEaUnTAgYbXWnIjhQ9MD8ubDosu8eHfbqgJSgBIp1JTbNcHLYGpJ+i91wPh5Go04RU54j4sOeNibdPvOrNgEBZP4e+KU7x6DWpqqr1Qa+NQHzLE1L7W0XDnpC0UvpeUIVTP0jXZ+tpayJhwok5Q7LKR1fXnAbnhHqHnuu011K0GAILmg3pT46P+jzOQt13ue1zx5nRfWNUKMjmQjdQ4S9UWhy9AD9s1CVD/gTalpVVlMCffmeEnbiXMuz51D6ZdfmqB+6RBKd7DXY8aiSACOX8bxCeEHoWZ7Gl8Cd44jkrVz10gfhcL5aX2T+9QxEMPktVFpPg2L+JTq0mCv5PVC9z/EDP4osshyBC1f9X5wrsSXRYWp9neoREljSo5IsH8Z6Gwzox5yS4KaeRcaSgMZH3qXsL8j74d+HThXV/cFcCzENPC04IRXh4FZhSPNnZ5OOvRsjJhQ++X4L2O
 7M8Dy5wt
 aJQK3vcZX3Ay03Y27/Ra7cH2M59ypEIByTvhaGH0sGeQTw9Cz49MXd2CNXBOwx1GK+Ku2/E2Cet6mibQ80OwATjD7DO6q9T/zATnLJbta54/BoXqjZz9CX6KfS1KofzBzM2ftvJlVF0BcQr0o5lRLFqpeZaoN7dv0OuIOM8g3uMXz3Vgl/RGbR93klx6Pg9bbZHiYThroHRvsU1/JhA/MYRmGAiMs+BaEe3bivtiUkA1vOoRHVoqLLEUgaHPfcuXvy5G0NQfw1vyXRMp8YL/0xmxVTawGewFH40livhjTu9/43F3oYmA56JuG/W7PDCc/ncDv0ueI253y7z60ftM0AtuaU06CRRiZLLqHca1J3/kDwsu/Y5IVrSqtvwq172npdAvcm1t9ox8cdsVryVirwU01666tHNbNrlglWC0dAZRZR2xSn5L6RhM/HVZKAx0EFuWATHLbMgcZSrzJ5iuyb4CDxQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

The lazy MMU mode can only be entered and left under the protection
of the page table locks for all page tables which may be modified.
Yet, when it comes to kernel mappings apply_to_pte_range() does not
take any locks. That does not conform arch_enter|leave_lazy_mmu_mode()
semantics and could potentially lead to re-schedulling a process while
in lazy MMU mode or racing on a kernel page table updates.

Cc: stable@vger.kernel.org
Fixes: 38e0edb15bd0 ("mm/apply_to_range: call pte function with lazy updates")
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
---
 mm/kasan/shadow.c | 7 ++-----
 mm/memory.c       | 5 ++++-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mm/kasan/shadow.c b/mm/kasan/shadow.c
index edfa77959474..6531a7aa8562 100644
--- a/mm/kasan/shadow.c
+++ b/mm/kasan/shadow.c
@@ -308,14 +308,14 @@ static int kasan_populate_vmalloc_pte(pte_t *ptep, unsigned long addr,
 	__memset((void *)page, KASAN_VMALLOC_INVALID, PAGE_SIZE);
 	pte = pfn_pte(PFN_DOWN(__pa(page)), PAGE_KERNEL);
 
-	spin_lock(&init_mm.page_table_lock);
 	if (likely(pte_none(ptep_get(ptep)))) {
 		set_pte_at(&init_mm, addr, ptep, pte);
 		page = 0;
 	}
-	spin_unlock(&init_mm.page_table_lock);
+
 	if (page)
 		free_page(page);
+
 	return 0;
 }
 
@@ -401,13 +401,10 @@ static int kasan_depopulate_vmalloc_pte(pte_t *ptep, unsigned long addr,
 
 	page = (unsigned long)__va(pte_pfn(ptep_get(ptep)) << PAGE_SHIFT);
 
-	spin_lock(&init_mm.page_table_lock);
-
 	if (likely(!pte_none(ptep_get(ptep)))) {
 		pte_clear(&init_mm, addr, ptep);
 		free_page(page);
 	}
-	spin_unlock(&init_mm.page_table_lock);
 
 	return 0;
 }
diff --git a/mm/memory.c b/mm/memory.c
index f0201c8ec1ce..1f3727104e99 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2926,6 +2926,7 @@ static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd,
 			pte = pte_offset_kernel(pmd, addr);
 		if (!pte)
 			return err;
+		spin_lock(&init_mm.page_table_lock);
 	} else {
 		if (create)
 			pte = pte_alloc_map_lock(mm, pmd, addr, &ptl);
@@ -2951,7 +2952,9 @@ static int apply_to_pte_range(struct mm_struct *mm, pmd_t *pmd,
 
 	arch_leave_lazy_mmu_mode();
 
-	if (mm != &init_mm)
+	if (mm == &init_mm)
+		spin_unlock(&init_mm.page_table_lock);
+	else
 		pte_unmap_unlock(mapped_pte, ptl);
 
 	*mask |= PGTBL_PTE_MODIFIED;