tag | c7ecff1d9a63a93e00381e29c5245dba78cc1a00 | |
---|---|---|
tagger | Todd Kjos <tkjos@google.com> | Wed Jul 06 20:40:52 2022 -0700 |
object | 8828cbe3c7ecae5b23fa28bc819cd8a4e9c7390f |
https://source.android.com/security/bulletin/2022-07-01 CVE-2020-29374 CVE-2022-20227
commit | 8828cbe3c7ecae5b23fa28bc819cd8a4e9c7390f | [log] [tgz] |
---|---|---|
author | Linus Torvalds <torvalds@linux-foundation.org> | Thu Sep 24 08:41:32 2020 -0700 |
committer | Todd Kjos <tkjos@google.com> | Wed Jul 06 18:37:37 2022 -0700 |
tree | 71609b394cdd481334afcae422c4b5aa1c1cee2d | |
parent | e791f407b137dbdd7a145d33344a27d60cc1005b [diff] |
UPSTREAM: mm: fix misplaced unlock_page in do_wp_page() Commit 09854ba94c6a ("mm: do_wp_page() simplification") reorganized all the code around the page re-use vs copy, but in the process also moved the final unlock_page() around to after the wp_page_reuse() call. That normally doesn't matter - but it means that the unlock_page() is now done after releasing the page table lock. Again, not a big deal, you'd think. But it turns out that it's very wrong indeed, because once we've released the page table lock, we've basically lost our only reference to the page - the page tables - and it could now be free'd at any time. We do hold the mmap_sem, so no actual unmap() can happen, but madvise can come in and a MADV_DONTNEED will zap the page range - and free the page. So now the page may be free'd just as we're unlocking it, which in turn will usually trigger a "Bad page state" error in the freeing path. To make matters more confusing, by the time the debug code prints out the page state, the unlock has typically completed and everything looks fine again. This all doesn't happen in any normal situations, but it does trigger with the dirtyc0w_child LTP test. And it seems to trigger much more easily (but not expclusively) on s390 than elsewhere, probably because s390 doesn't do the "batch pages up for freeing after the TLB flush" that gives the unlock_page() more time to complete and makes the race harder to hit. Fixes: 09854ba94c6a ("mm: do_wp_page() simplification") Link: https://lore.kernel.org/lkml/a46e9bbef2ed4e17778f5615e818526ef848d791.camel@redhat.com/ Link: https://lore.kernel.org/linux-mm/c41149a8-211e-390b-af1d-d5eee690fecb@linux.alibaba.com/ Reported-by: Qian Cai <cai@redhat.com> Reported-by: Alex Shi <alex.shi@linux.alibaba.com> Bisected-and-analyzed-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> Tested-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit be068f29034fb00530a053d18b8cf140c32b12b3) Bug: 176847924 Signed-off-by: Kalesh Singh <kaleshsingh@google.com> Change-Id: I85ea395b6b722fbfc63036041d11615dacf96a7b
BEST: Make all of your changes to upstream Linux. If appropriate, backport to the stable releases. These patches will be merged automatically in the corresponding common kernels. If the patch is already in upstream Linux, post a backport of the patch that conforms to the patch requirements below.
LESS GOOD: Develop your patches out-of-tree (from an upstream Linux point-of-view). Unless these are fixing an Android-specific bug, these are very unlikely to be accepted unless they have been coordinated with kernel-team@android.com. If you want to proceed, post a patch that conforms to the patch requirements below.
script/checkpatch.pl
UPSTREAM:
, BACKPORT:
, FROMGIT:
, FROMLIST:
, or ANDROID:
.Change-Id:
tag (see https://gerrit-review.googlesource.com/Documentation/user-changeid.html)Bug:
tag.Signed-off-by:
tag by the author and the submitterAdditional requirements are listed below based on patch type
UPSTREAM:
, BACKPORT:
UPSTREAM:
.(cherry-picked from ...)
lineimportant patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org>
- then Joe Smith would upload the patch for the common kernel as
UPSTREAM: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 (cherry-picked from c31e73121f4c1ec41143423ac6ce3ce6dafdcec1) Signed-off-by: Joe Smith <joe.smith@foo.org>
BACKPORT:
instead of UPSTREAM:
.UPSTREAM:
(cherry-picked from ...)
lineBACKPORT: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 (cherry-picked from c31e73121f4c1ec41143423ac6ce3ce6dafdcec1) [ Resolved minor conflict in drivers/foo/bar.c ] Signed-off-by: Joe Smith <joe.smith@foo.org>
FROMGIT:
, FROMLIST:
,FROMGIT:
(cherry picked from commit <sha1> <repo> <branch>)
. This must be a stable maintainer branch (not rebased, so don't use linux-next
for example).BACKPORT: FROMGIT:
important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org>
- then Joe Smith would upload the patch for the common kernel as
FROMGIT: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 (cherry picked from commit 878a2fd9de10b03d11d2f622250285c7e63deace https://git.kernel.org/pub/scm/linux/kernel/git/foo/bar.git test-branch) Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 Signed-off-by: Joe Smith <joe.smith@foo.org>
FROMLIST:
Link:
tag with a link to the submittal on lore.kernel.orgBACKPORT: FROMLIST:
FROMLIST: important patch from upstream This is the detailed description of the important patch Signed-off-by: Fred Jones <fred.jones@foo.org> Bug: 135791357 Link: https://lore.kernel.org/lkml/20190619171517.GA17557@someone.com/ Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 Signed-off-by: Joe Smith <joe.smith@foo.org>
ANDROID:
ANDROID:
Fixes:
tag that cites the patch with the bugANDROID: fix android-specific bug in foobar.c This is the detailed description of the important fix Fixes: 1234abcd2468 ("foobar: add cool feature") Change-Id: I4caaaa566ea080fa148c5e768bb1a0b6f7201c01 Signed-off-by: Joe Smith <joe.smith@foo.org>
ANDROID:
Bug:
tag with the Android bug (required for android-specific features)