From patchwork Thu Jan 10 00:51:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 10755035 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1F60113B4 for ; Thu, 10 Jan 2019 00:51:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 04B15292BA for ; Thu, 10 Jan 2019 00:51:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EABC3292C2; Thu, 10 Jan 2019 00:51:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE,SUBJ_OBFU_PUNCT_FEW autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16806292BA for ; Thu, 10 Jan 2019 00:51:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 274788E009D; Wed, 9 Jan 2019 19:51:25 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 222928E0038; Wed, 9 Jan 2019 19:51:25 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 112C08E009D; Wed, 9 Jan 2019 19:51:25 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com [209.85.215.197]) by kanga.kvack.org (Postfix) with ESMTP id C5B848E0038 for ; Wed, 9 Jan 2019 19:51:24 -0500 (EST) Received: by mail-pg1-f197.google.com with SMTP id f125so5222066pgc.20 for ; Wed, 09 Jan 2019 16:51:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:mime-version:content-transfer-encoding; bh=XU4fDVNQLwOeW6Kd+i8auPS35fJzTSM4XTcBQ5ssOmI=; b=Xmf4xNP/qBBhRHzslwkmN3K3/mYYWq5SoUqRqtkjy/o1gLJbO3glFAON55+4AiWOrA wSUWVebmTUmIa2Q+8MdzUaHg/Xx/hVnoOL03F/ECTELaiLRJKfrCgC5E1NLm2jIjPNmf xFIEsKR6ES4CmUm4V2u5qv1Fz3ppwCnyX5JIQ2N97eXxGMnaqcr46LCEVoKY0mLJN/iw NhPdDT8+aIaComddip2jLj0sOafXpoK/BD9SuRXOrDQwFRqvyjy61GHQ2C0x0GM0IrqU zD3zAvcxISBnTyegS9AiEJjERpPCKEGW9LL1UU9VAKTWUI3GyB+SN4YqHj2dmXABw8el KfJw== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of sean.j.christopherson@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=sean.j.christopherson@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Gm-Message-State: AJcUukc7eKGJAh6lRFINEgNI0hIyFLqFeP3SfisD6W4sIWLHeOeWOniA 52XcDHDWj2WWqyS/YQZXDerhFFh940HbL+d3k2FkPTrRPsvyEGMumwieu528gPHTobNkK8LdSBA 6d48AiRMeoEXSDOP7xefjvLjIw38tk4mnC2ayeQUFPC941ap0FimWJ/y8UQb+Mz3/tA== X-Received: by 2002:a17:902:4464:: with SMTP id k91mr8323676pld.13.1547081484444; Wed, 09 Jan 2019 16:51:24 -0800 (PST) X-Google-Smtp-Source: ALg8bN6EsOlac5Wv5MbvC9tl/ShWCmYq+I2t/BT/odpMUT7LeddUlsE+FZGJg5AgRpMjgbVOXXZq X-Received: by 2002:a17:902:4464:: with SMTP id k91mr8323624pld.13.1547081483074; Wed, 09 Jan 2019 16:51:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547081483; cv=none; d=google.com; s=arc-20160816; b=ysHmVy8dDczNfcrCKN8+cDJh7oB9j7goGBmXdRAFMEVoy/4vEpVpqub/HVyE5zC4kL vWvVDqLyjA+KaysOIYkbTM5Dl6VtUqFncfuXFtD2G/h0/lGWqQMPm571O1X9B14d+H7M w9PqlkyCUJZ4VzLO0pm6DEaK1476hLnqYWre5q3Pckk2qR6NAc6WysyaVln9sDRm0aVT +f9VDA6pX5nhmGFSpixaJ1qruTg06JsvBG+dqgVWbVcneKogNFQS/L31cKrddTCRNhcg 2vvoNHlfkvVj5Z3N2B+bAprkAlviIfpO067GO8XTXnEkWmhjHnxBx5wExHtk/BEc2oXY O1tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from; bh=XU4fDVNQLwOeW6Kd+i8auPS35fJzTSM4XTcBQ5ssOmI=; b=mzCU6TAlbcJ0MZFlVy4UBPgGTBA1lRSwMXZ1f67BsC4lgHIKKFlhhL8f+QgXeuNlx0 pq9fb5MRzPSno3HE1BvTgR3WEQ9ZaDtKeXkHXynFsRtQVj/ObE+5UQ2PzZBXmXk4Zuka isGSlZ1sM8XiHu+FGnP5GxfIhSmuu8Dv/qhAYHLhLjVecDPvuemxoldyQjHvkFo1Pzal vgbYZv5tQwT10oJoANZ82oe+30d9XaXWnp6qy2jkzXTL48jDMwG59MS1R2mk7zs9HgJs B4wqHhQQNOFmjklT0l0jmhqz6NNc6Kg9YMlTm9gWhl3/5t8eXl7aKiUjuH+SPH8RMd3Q wU6g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of sean.j.christopherson@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=sean.j.christopherson@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from mga05.intel.com (mga05.intel.com. [192.55.52.43]) by mx.google.com with ESMTPS id n3si18316322pld.36.2019.01.09.16.51.22 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Jan 2019 16:51:23 -0800 (PST) Received-SPF: pass (google.com: domain of sean.j.christopherson@intel.com designates 192.55.52.43 as permitted sender) client-ip=192.55.52.43; Authentication-Results: mx.google.com; spf=pass (google.com: domain of sean.j.christopherson@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=sean.j.christopherson@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jan 2019 16:51:22 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,459,1539673200"; d="scan'208";a="108696460" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.154]) by orsmga008.jf.intel.com with ESMTP; 09 Jan 2019 16:51:22 -0800 From: Sean Christopherson To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, leozinho29_eu@hotmail.com, Mike Galbraith , Adam Borowski , =?utf-8?b?SsOpcsO0bWUgR2xpc3Nl?= , =?utf-8?q?Christian_?= =?utf-8?q?K=C3=B6nig?= , Jan Kara , Matthew Wilcox , Ross Zwisler , Dan Williams , Paolo Bonzini , =?utf-8?b?UmFkaW0gS3LEjW3DocWZ?= , Michal Hocko , Felix Kuehling , Ralph Campbell , John Hubbard , Andrew Morton , Linus Torvalds Subject: [PATCH] mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one Date: Wed, 9 Jan 2019 16:51:17 -0800 Message-Id: <20190110005117.18282-1-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.19.2 MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP The conversion to use a structure for mmu_notifier_invalidate_range_*() unintentionally changed the usage in try_to_unmap_one() to init the 'struct mmu_notifier_range' with vma->vm_start instead of @address, i.e. it invalidates the wrong address range. Revert to the correct address range. Manifests as KVM use-after-free WARNINGs and subsequent "BUG: Bad page state in process X" errors when reclaiming from a KVM guest due to KVM removing the wrong pages from its own mappings. Reported-by: leozinho29_eu@hotmail.com Reported-by: Mike Galbraith Reported-by: Adam Borowski Cc: Jérôme Glisse Cc: Christian König Cc: Jan Kara Cc: Matthew Wilcox Cc: Ross Zwisler Cc: Dan Williams Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Michal Hocko Cc: Felix Kuehling Cc: Ralph Campbell Cc: John Hubbard Cc: Andrew Morton Cc: Linus Torvalds Fixes: ac46d4f3c432 ("mm/mmu_notifier: use structure for invalidate_range_start/end calls v2") Signed-off-by: Sean Christopherson Reviewed-by: Jérôme Glisse Reviewed-by: Pankaj gupta --- FWIW, I looked through all other calls to mmu_notifier_range_init() in the patch and didn't spot any other unintentional functional changes. mm/rmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mm/rmap.c b/mm/rmap.c index 68a1a5b869a5..0454ecc29537 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1371,8 +1371,8 @@ static bool try_to_unmap_one(struct page *page, struct vm_area_struct *vma, * Note that the page can not be free in this function as call of * try_to_unmap() must hold a reference on the page. */ - mmu_notifier_range_init(&range, vma->vm_mm, vma->vm_start, - min(vma->vm_end, vma->vm_start + + mmu_notifier_range_init(&range, vma->vm_mm, address, + min(vma->vm_end, address + (PAGE_SIZE << compound_order(page)))); if (PageHuge(page)) { /*