https://github.com/torvalds/linux
Revision ba422731316dde1e22dcc84b83c7349dc0ce1c3c authored by Sean Christopherson on 10 January 2019, 00:51:17 UTC, committed by Linus Torvalds on 10 January 2019, 10:58:21 UTC
The conversion to use a structure for mmu_notifier_invalidate_range_*() unintentionally changed the usage in try_to_unmap_one() to init the 'struct mmu_notifier_range' with vma->vm_start instead of @address, i.e. it invalidates the wrong address range. Revert to the correct address range. Manifests as KVM use-after-free WARNINGs and subsequent "BUG: Bad page state in process X" errors when reclaiming from a KVM guest due to KVM removing the wrong pages from its own mappings. Reported-by: leozinho29_eu@hotmail.com Reported-by: Mike Galbraith <efault@gmx.de> Reported-and-tested-by: Adam Borowski <kilobyte@angband.pl> Reviewed-by: Jérôme Glisse <jglisse@redhat.com> Reviewed-by: Pankaj gupta <pagupta@redhat.com> Cc: Christian König <christian.koenig@amd.com> Cc: Jan Kara <jack@suse.cz> Cc: Matthew Wilcox <mawilcox@microsoft.com> Cc: Ross Zwisler <zwisler@kernel.org> Cc: Dan Williams <dan.j.williams@intel.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Michal Hocko <mhocko@kernel.org> Cc: Felix Kuehling <felix.kuehling@amd.com> Cc: Ralph Campbell <rcampbell@nvidia.com> Cc: John Hubbard <jhubbard@nvidia.com> Cc: Andrew Morton <akpm@linux-foundation.org> Fixes: ac46d4f3c432 ("mm/mmu_notifier: use structure for invalidate_range_start/end calls v2") Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 4064e47
Tip revision: ba422731316dde1e22dcc84b83c7349dc0ce1c3c authored by Sean Christopherson on 10 January 2019, 00:51:17 UTC
mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one
mm/mmu_notifier: mm/rmap.c: Fix a mmu_notifier range bug in try_to_unmap_one
Tip revision: ba42273
File | Mode | Size |
---|---|---|
alpha | ||
arc | ||
arm | ||
arm64 | ||
c6x | ||
csky | ||
h8300 | ||
hexagon | ||
ia64 | ||
m68k | ||
microblaze | ||
mips | ||
nds32 | ||
nios2 | ||
openrisc | ||
parisc | ||
powerpc | ||
riscv | ||
s390 | ||
sh | ||
sparc | ||
um | ||
unicore32 | ||
x86 | ||
xtensa | ||
.gitignore | -rw-r--r-- | 12 bytes |
Kconfig | -rw-r--r-- | 26.5 KB |
![swh spinner](/static/img/swh-spinner.gif)
Computing file changes ...