evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/mm
History
Matthew Wilcox (Oracle) eb4058d8da memfd: Fix locking when tagging pins 
The RCU lock is insufficient to protect the radix tree iteration as
a deletion from the tree can occur before we take the spinlock to
tag the entry.  In 4.19, this has manifested as a bug with the following
trace:

kernel BUG at lib/radix-tree.c:1429!
invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 7 PID: 6935 Comm: syz-executor.2 Not tainted 4.19.36 #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:radix_tree_tag_set+0x200/0x2f0 lib/radix-tree.c:1429
Code: 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 44 24 10 e8 a3 29 7e fe 48 8b 44 24 10 48 0f ab 03 e9 d2 fe ff ff e8 90 29 7e fe <0f> 0b 48 c7 c7 e0 5a 87 84 e8 f0 e7 08 ff 4c 89 ef e8 4a ff ac fe
RSP: 0018:ffff88837b13fb60 EFLAGS: 00010016
RAX: 0000000000040000 RBX: ffff8883c5515d58 RCX: ffffffff82cb2ef0
RDX: 0000000000000b72 RSI: ffffc90004cf2000 RDI: ffff8883c5515d98
RBP: ffff88837b13fb98 R08: ffffed106f627f7e R09: ffffed106f627f7e
R10: 0000000000000001 R11: ffffed106f627f7d R12: 0000000000000004
R13: ffffea000d7fea80 R14: 1ffff1106f627f6f R15: 0000000000000002
FS:  00007fa1b8df2700(0000) GS:ffff8883e2fc0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa1b8df1db8 CR3: 000000037d4d2001 CR4: 0000000000160ee0
Call Trace:
 memfd_tag_pins mm/memfd.c:51 [inline]
 memfd_wait_for_pins+0x2c5/0x12d0 mm/memfd.c:81
 memfd_add_seals mm/memfd.c:215 [inline]
 memfd_fcntl+0x33d/0x4a0 mm/memfd.c:247
 do_fcntl+0x589/0xeb0 fs/fcntl.c:421
 __do_sys_fcntl fs/fcntl.c:463 [inline]
 __se_sys_fcntl fs/fcntl.c:448 [inline]
 __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:448
 do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:293

The problem does not occur in mainline due to the XArray rewrite which
changed the locking to exclude modification of the tree during iteration.
At the time, nobody realised this was a bugfix.  Backport the locking
changes to stable.

Cc: stable@vger.kernel.org
Reported-by: zhong jiang <zhongjiang@huawei.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-10-29 09:13:23 +01:00
..
kasan kasan: fix shadow_size calculation error in kasan_module_alloc 2018-08-24 13:26:58 +02:00
backing-dev.c writeback: synchronize sync(2) against cgroup writeback membership switches 2019-06-11 12:23:41 +02:00
balloon_compaction.c
bootmem.c
cleancache.c
cma.c mm/cma.c: fail if fixed declaration can't be honored 2019-08-06 18:28:27 +02:00
cma.h
cma_debug.c mm/cma_debug.c: fix the break condition in cma_maxchunk_get() 2019-06-22 08:18:18 +02:00
compaction.c
debug-pagealloc.c
debug.c mm: get rid of vmacache_flush_all() entirely 2018-09-19 22:49:00 +02:00
dmapool.c
early_ioremap.c mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep 2018-02-25 11:03:41 +01:00
fadvise.c mm/fadvise.c: fix signed overflow UBSAN complaint 2018-09-15 09:40:38 +02:00
failslab.c
filemap.c mm: filemap: avoid unnecessary calls to lock_page when waiting for IO to complete during a read 2018-05-26 08:48:54 +02:00
frame_vector.c mm: replace get_vaddr_frames() write/force parameters with gup_flags 2018-12-17 21:55:16 +01:00
frontswap.c
gup.c proc: do not access cmdline nor environ from file-backed areas 2018-12-17 21:55:17 +01:00
highmem.c
huge_memory.c mremap: properly flush TLB before releasing the page 2018-11-10 07:41:42 -08:00
hugetlb.c hugetlbfs: on restore reserve error path retain subpool reservation 2019-06-22 08:18:17 +02:00
hugetlb_cgroup.c
hwpoison-inject.c
init-mm.c
internal.h
interval_tree.c
Kconfig mm: don't allow deferred pages with NEED_PER_CPU_KM 2018-05-26 08:48:55 +02:00
Kconfig.debug
kmemcheck.c
kmemleak-test.c
kmemleak.c mm/kmemleak.c: fix check for softirq context 2019-08-04 09:34:59 +02:00
ksm.c mm/ksm: fix interaction with THP 2018-05-30 07:49:08 +02:00
list_lru.c mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node 2019-06-22 08:18:22 +02:00
maccess.c
madvise.c mm: madvise(MADV_DODUMP): allow hugetlbfs pages 2018-10-10 08:52:11 +02:00
Makefile
memblock.c
memcontrol.c mm/memcontrol.c: fix use after free in mem_cgroup_iter() 2019-08-25 10:52:56 +02:00
memory-failure.c
memory.c mm: replace access_remote_vm() write parameter with gup_flags 2018-12-17 21:55:17 +01:00
memory_hotplug.c mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone 2019-03-23 08:44:26 +01:00
mempolicy.c mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified 2019-04-27 09:33:47 +02:00
mempool.c
memtest.c
migrate.c hugetlbfs: fix races and page leaks during migration 2019-03-23 08:44:23 +01:00
mincore.c mm/mincore.c: make mincore() more conservative 2019-06-11 12:23:36 +02:00
mlock.c mm: mlock: avoid increase mm->locked_vm on mlock() when already mlock2(,MLOCK_ONFAULT) 2018-12-13 09:21:33 +01:00
mm_init.c
mmap.c coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping 2019-06-22 08:18:27 +02:00
mmu_context.c
mmu_notifier.c mm/mmu_notifier: use hlist_add_head_rcu() 2019-08-04 09:34:59 +02:00
mmzone.c
mprotect.c x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings 2018-08-15 17:42:10 +02:00
mremap.c mremap: properly flush TLB before releasing the page 2018-11-10 07:41:42 -08:00
msync.c
nobootmem.c
nommu.c mm: replace access_remote_vm() write parameter with gup_flags 2018-12-17 21:55:17 +01:00
oom_kill.c mm, oom: fix use-after-free in oom_kill_process 2019-02-06 19:43:07 +01:00
page-writeback.c mm/page-writeback.c: don't break integrity writeback on ->writepage() error 2019-01-26 09:42:55 +01:00
page_alloc.c mm, page_alloc: do not break __GFP_THISNODE by zonelist reset 2018-07-11 16:03:51 +02:00
page_counter.c
page_ext.c mm/page_ext.c: fix an imbalance with kmemleak 2019-04-27 09:33:48 +02:00
page_idle.c mm/page_idle.c: fix oops because end_pfn is larger than max_pfn 2019-07-10 09:56:30 +02:00
page_io.c
page_isolation.c
page_owner.c
pagewalk.c
percpu-km.c
percpu-vm.c
percpu.c percpu: include linux/sched.h for cond_resched() 2018-05-16 10:06:46 +02:00
pgtable-generic.c
process_vm_access.c mm: replace get_user_pages_unlocked() write/force parameters with gup_flags 2018-12-17 21:55:16 +01:00
quicklist.c
readahead.c
rmap.c mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON 2019-04-03 06:23:18 +02:00
shmem.c memfd: Fix locking when tagging pins 2019-10-29 09:13:23 +01:00
slab.c mm/slab.c: kmemleak no scan alien caches 2019-04-27 09:33:48 +02:00
slab.h
slab_common.c
slob.c
slub.c slub: make ->cpu_partial unsigned int 2018-10-10 08:52:08 +02:00
sparse-vmemmap.c
sparse.c
swap.c
swap_cgroup.c
swap_state.c
swapfile.c x86/speculation/l1tf: Limit swap file size to MAX_PA/2 2018-08-15 17:42:10 +02:00
truncate.c mm: cleancache: fix corruption on missed inode invalidation 2018-12-13 09:21:33 +01:00
userfaultfd.c
util.c mm: replace get_user_pages_unlocked() write/force parameters with gup_flags 2018-12-17 21:55:16 +01:00
vmacache.c mm: get rid of vmacache_flush_all() entirely 2018-09-19 22:49:00 +02:00
vmalloc.c mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() 2019-08-25 10:52:44 +02:00
vmpressure.c
vmscan.c mm: fix the NULL mapping case in __isolate_lru_page() 2018-06-06 16:46:23 +02:00
vmstat.c mm, vmstat: make quiet_vmstat lighter 2019-08-04 09:35:01 +02:00
workingset.c
zbud.c
zpool.c
zsmalloc.c
zswap.c zswap: re-check zswap_is_full() after do zswap_shrink() 2018-09-05 09:18:36 +02:00