Revision 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c authored by Kirill A. Shutemov on 24 July 2020, 04:15:11 UTC, committed by Linus Torvalds on 24 July 2020, 19:42:41 UTC
VMA with VM_GROWSDOWN or VM_GROWSUP flag set can change their size under
mmap_read_lock(). It can lead to race with __do_munmap():
Thread A Thread B
__do_munmap()
detach_vmas_to_be_unmapped()
mmap_write_downgrade()
expand_downwards()
vma->vm_start = address;
// The VMA now overlaps with
// VMAs detached by the Thread A
// page fault populates expanded part
// of the VMA
unmap_region()
// Zaps pagetables partly
// populated by Thread B
Similar race exists for expand_upwards().
The fix is to avoid downgrading mmap_lock in __do_munmap() if detached
VMAs are next to VM_GROWSDOWN or VM_GROWSUP VMA.
[akpm@linux-foundation.org: s/mmap_sem/mmap_lock/ in comment]
Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Yang Shi <yang.shi@linux.alibaba.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org> [4.20+]
Link: http://lkml.kernel.org/r/20200709105309.42495-1-kirill.shutemov@linux.intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent f37e99a
gfp-translate
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0-only
# Translate the bits making up a GFP mask
# (c) 2009, Mel Gorman <mel@csn.ul.ie>
SOURCE=
GFPMASK=none
# Helper function to report failures and exit
die() {
echo ERROR: $@
if [ "$TMPFILE" != "" ]; then
rm -f $TMPFILE
fi
exit -1
}
usage() {
echo "usage: gfp-translate [-h] [ --source DIRECTORY ] gfpmask"
exit 0
}
# Parse command-line arguments
while [ $# -gt 0 ]; do
case $1 in
--source)
SOURCE=$2
shift 2
;;
-h)
usage
;;
--help)
usage
;;
*)
GFPMASK=$1
shift
;;
esac
done
# Guess the kernel source directory if it's not set. Preference is in order of
# o current directory
# o /usr/src/linux
if [ "$SOURCE" = "" ]; then
if [ -r "/usr/src/linux/Makefile" ]; then
SOURCE=/usr/src/linux
fi
if [ -r "`pwd`/Makefile" ]; then
SOURCE=`pwd`
fi
fi
# Confirm that a source directory exists
if [ ! -r "$SOURCE/Makefile" ]; then
die "Could not locate kernel source directory or it is invalid"
fi
# Confirm that a GFP mask has been specified
if [ "$GFPMASK" = "none" ]; then
usage
fi
# Extract GFP flags from the kernel source
TMPFILE=`mktemp -t gfptranslate-XXXXXX` || exit 1
grep -q ___GFP $SOURCE/include/linux/gfp.h
if [ $? -eq 0 ]; then
grep "^#define ___GFP" $SOURCE/include/linux/gfp.h | sed -e 's/u$//' | grep -v GFP_BITS > $TMPFILE
else
grep "^#define __GFP" $SOURCE/include/linux/gfp.h | sed -e 's/(__force gfp_t)//' | sed -e 's/u)/)/' | grep -v GFP_BITS | sed -e 's/)\//) \//' > $TMPFILE
fi
# Parse the flags
IFS="
"
echo Source: $SOURCE
echo Parsing: $GFPMASK
for LINE in `cat $TMPFILE`; do
MASK=`echo $LINE | awk '{print $3}'`
if [ $(($GFPMASK&$MASK)) -ne 0 ]; then
echo $LINE
fi
done
rm -f $TMPFILE
exit 0
Computing file changes ...
