iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/mm
History
Kefeng Wang cfdd12b482 mm: fix possible OOB in numa_rebuild_large_mapping() 
The large folio is mapped with folio size(not greater PMD_SIZE) aligned
virtual address during the pagefault, ie, 'addr = ALIGN_DOWN(vmf->address,
nr_pages * PAGE_SIZE)' in do_anonymous_page().  But after the mremap(),
the virtual address only requires PAGE_SIZE alignment.  Also pte is moved
to new in move_page_tables(), then traversal of the new pte in the
numa_rebuild_large_mapping() could hit the following issue,

   Unable to handle kernel paging request at virtual address 00000a80c021a788
   Mem abort info:
     ESR = 0x0000000096000004
     EC = 0x25: DABT (current EL), IL = 32 bits
     SET = 0, FnV = 0
     EA = 0, S1PTW = 0
     FSC = 0x04: level 0 translation fault
   Data abort info:
     ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
     CM = 0, WnR = 0, TnD = 0, TagAccess = 0
     GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
   user pgtable: 4k pages, 48-bit VAs, pgdp=00002040341a6000
   [00000a80c021a788] pgd=0000000000000000, p4d=0000000000000000
   Internal error: Oops: 0000000096000004 [#1] SMP
   ...
   CPU: 76 PID: 15187 Comm: git Kdump: loaded Tainted: G        W          6.10.0-rc2+ #209
   Hardware name: Huawei TaiShan 2280 V2/BC82AMDD, BIOS 1.79 08/21/2021
   pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
   pc : numa_rebuild_large_mapping+0x338/0x638
   lr : numa_rebuild_large_mapping+0x320/0x638
   sp : ffff8000b41c3b00
   x29: ffff8000b41c3b30 x28: ffff8000812a0000 x27: 00000000000a8000
   x26: 00000000000000a8 x25: 0010000000000001 x24: ffff20401c7170f0
   x23: 0000ffff33a1e000 x22: 0000ffff33a76000 x21: ffff20400869eca0
   x20: 0000ffff33976000 x19: 00000000000000a8 x18: ffffffffffffffff
   x17: 0000000000000000 x16: 0000000000000020 x15: ffff8000b41c36a8
   x14: 0000000000000000 x13: 205d373831353154 x12: 5b5d333331363732
   x11: 000000000011ff78 x10: 000000000011ff10 x9 : ffff800080273f30
   x8 : 000000320400869e x7 : c0000000ffffd87f x6 : 00000000001e6ba8
   x5 : ffff206f3fb5af88 x4 : 0000000000000000 x3 : 0000000000000000
   x2 : 0000000000000000 x1 : fffffdffc0000000 x0 : 00000a80c021a780
   Call trace:
    numa_rebuild_large_mapping+0x338/0x638
    do_numa_page+0x3e4/0x4e0
    handle_pte_fault+0x1bc/0x238
    __handle_mm_fault+0x20c/0x400
    handle_mm_fault+0xa8/0x288
    do_page_fault+0x124/0x498
    do_translation_fault+0x54/0x80
    do_mem_abort+0x4c/0xa8
    el0_da+0x40/0x110
    el0t_64_sync_handler+0xe4/0x158
    el0t_64_sync+0x188/0x190

Fix it by making the start and end not only within the vma range, but also
within the page table range.

Link: https://lkml.kernel.org/r/20240612122822.4033433-1-wangkefeng.wang@huawei.com
Fixes: d2136d749d76 ("mm: support multi-size THP numa balancing")
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2024-06-15 10:43:07 -07:00
..
damon
mm/damon/core: fix return value from damos_wmark_metric_value
2024-05-11 15:41:36 -07:00
kasan
fix missing vmalloc.h includes
2024-04-25 20:55:49 -07:00
kfence
mm: introduce slabobj_ext to support slab object extensions
2024-04-25 20:55:51 -07:00
kmsan
kmsan: do not wipe out origin when doing partial unpoisoning
2024-06-05 19:19:25 -07:00
backing-dev.c
writeback: support retrieving per group debug writeback stats of bdi
2024-05-05 17:53:51 -07:00
balloon_compaction.c
bootmem_info.c
bootmem: use kmemleak_free_part_phys in put_page_bootmem
2023-10-25 16:47:13 -07:00
cma_debug.c
cma_sysfs.c
mm/cma: add sysfs file 'release_pages_success'
2024-02-22 10:24:57 -08:00
cma.c
mm/cma: drop incorrect alignment check in cma_init_reserved_mem
2024-04-25 20:56:42 -07:00
cma.h
mm/cma: add sysfs file 'release_pages_success'
2024-02-22 10:24:57 -08:00
compaction.c
memory: remove the now superfluous sentinel element from ctl_table array
2024-04-25 20:56:32 -07:00
debug_page_alloc.c
mm: page_alloc: consolidate free page accounting
2024-04-25 20:56:04 -07:00
debug_page_ref.c
debug_vm_pgtable.c
mm/debug_vm_pgtable: test pmd_leaf() behavior with pmd_mkinvalid()
2024-05-07 10:37:00 -07:00
debug.c
mm/debug: print only page mapcount (excluding folio entire mapcount) in __dump_folio()
2024-05-05 17:53:31 -07:00
dmapool_test.c
dmapool.c
mm/mempool/dmapool: remove CONFIG_DEBUG_SLAB ifdefs
2023-12-05 11:17:58 +01:00
early_ioremap.c
execmem.c
mm/execmem, arch: convert remaining overrides of module_alloc to execmem
2024-05-14 00:31:43 -07:00
fadvise.c
fail_page_alloc.c
failslab.c
filemap.c
mm: fix xyz_noprof functions calling profiled functions
2024-06-05 19:19:26 -07:00
folio-compat.c
mm: remove __set_page_dirty_nobuffers()
2024-04-25 20:56:25 -07:00
gup_test.c
gup_test.h
gup.c
mm/gup: fix hugepd handling in hugetlb rework
2024-05-07 10:37:01 -07:00
highmem.c
x86/kexec: use pr_err() instead of kexec_dprintk() when an error occurs
2023-12-29 12:22:28 -08:00
hmm.c
mm/treewide: replace pXd_huge() with pXd_leaf()
2024-04-25 20:55:46 -07:00
huge_memory.c
mm: huge_memory: fix misused mapping_large_folio_support() for anon folios
2024-06-15 10:43:06 -07:00
hugetlb_cgroup.c
mm/hugetlb: assert hugetlb_lock in __hugetlb_cgroup_commit_charge
2024-05-05 17:53:41 -07:00
hugetlb_vmemmap.c
memory: remove the now superfluous sentinel element from ctl_table array
2024-04-25 20:56:32 -07:00
hugetlb_vmemmap.h
mm: hugetlb_vmemmap: fix reference to nonexistent file
2023-10-25 16:47:14 -07:00
hugetlb.c
mm/hugetlb: do not call vma_add_reservation upon ENOMEM
2024-06-05 19:19:26 -07:00
hwpoison-inject.c
mm/memory-failure: convert shake_page() to shake_folio()
2024-05-05 17:53:45 -07:00
init-mm.c
mm: Deprecate pasid field
2023-12-12 10:11:32 +01:00
internal.h
Revert "mm: init_mlocked_on_free_v3"
2024-06-15 10:43:05 -07:00
interval_tree.c
io-mapping.c
ioremap.c
Kconfig
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
Kconfig.debug
mm/slub: unify all sl[au]b parameters with "slab_$param"
2024-01-22 10:31:08 +01:00
khugepaged.c
mm: simplify thp_vma_allowable_order
2024-05-05 17:53:53 -07:00
kmemleak.c
mm: lift gfp_kmemleak_mask() to gfp.h
2024-05-19 14:40:44 -07:00
ksm.c
mm/ksm: fix ksm_zero_pages accounting
2024-06-05 19:19:26 -07:00
list_lru.c
mm/zswap: stop lru list shrinking when encounter warm region
2024-02-22 10:24:54 -08:00
maccess.c
madvise.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
Makefile
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mapping_dirty_helpers.c
mm: fix clean_record_shared_mapping_range kernel-doc
2023-08-24 16:20:30 -07:00
memblock.c
cxl fixes for 6.8-rc6
2024-02-24 15:53:40 -08:00
memcontrol.c
memcg: remove the lockdep assert from __mod_objcg_mlstate()
2024-06-05 19:19:24 -07:00
memfd.c
mm/memfd: refactor memfd_tag_pins() and memfd_wait_for_pins()
2024-03-04 17:01:21 -08:00
memory_hotplug.c
mm/hugetlb: rename dissolve_free_huge_pages() to dissolve_free_hugetlb_folios()
2024-05-05 17:53:35 -07:00
memory-failure.c
mm/memory-failure: fix handling of dissolved but not taken off from buddy pages
2024-05-24 11:55:08 -07:00
memory-tiers.c
memory tier: create CPUless memory tiers after obtaining HMAT info
2024-05-05 17:53:26 -07:00
memory.c
mm: fix possible OOB in numa_rebuild_large_mapping()
2024-06-15 10:43:07 -07:00
mempolicy.c
mm: add pmd_folio()
2024-04-25 20:56:19 -07:00
mempool.c
mm: fix xyz_noprof functions calling profiled functions
2024-06-05 19:19:26 -07:00
memremap.c
mm: convert put_devmap_managed_page_refs() to put_devmap_managed_folio_refs()
2024-05-05 17:53:49 -07:00
memtest.c
memtest: use {READ,WRITE}_ONCE in memory scanning
2024-03-13 12:12:21 -07:00
migrate_device.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
migrate.c
mm/migrate: fix kernel BUG at mm/compaction.c:2761!
2024-06-15 10:43:07 -07:00
mincore.c
mlock.c
mm: add pmd_folio()
2024-04-25 20:56:19 -07:00
mm_init.c
Revert "mm: init_mlocked_on_free_v3"
2024-06-15 10:43:05 -07:00
mm_slot.h
mmap_lock.c
mmap.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mmu_gather.c
mm/mmu_gather: improve cond_resched() handling with large folios and expensive page freeing
2024-02-22 15:27:17 -08:00
mmu_notifier.c
mmu_notifier: remove the .change_pte() callback
2024-04-11 13:18:36 -04:00
mmzone.c
zswap: shrink zswap pool based on memory pressure
2023-12-12 10:57:02 -08:00
mprotect.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mremap.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
mseal.c
mseal: add mseal syscall
2024-05-23 19:40:26 -07:00
msync.c
nommu.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
oom_kill.c
memory: remove the now superfluous sentinel element from ctl_table array
2024-04-25 20:56:32 -07:00
page_alloc.c
Revert "mm: init_mlocked_on_free_v3"
2024-06-15 10:43:05 -07:00
page_counter.c
page_ext.c
mm: make page_ext_get() take a const argument
2024-04-25 20:56:14 -07:00
page_idle.c
page_io.c
mm: drop the 'anon_' prefix for swap-out mTHP counters
2024-06-05 19:19:23 -07:00
page_isolation.c
mm: page_isolation: prepare for hygienic freelists
2024-04-25 20:56:04 -07:00
page_owner.c
mm/page-owner: use gfp_nested_mask() instead of open coded masking
2024-05-19 14:40:44 -07:00
page_poison.c
mm/page_poison: replace kmap_atomic() with kmap_local_page()
2023-12-10 16:51:50 -08:00
page_reporting.c
mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER
2024-01-08 15:27:15 -08:00
page_reporting.h
page_table_check.c
mm/page_table_check: fix crash on ZONE_DEVICE
2024-06-15 10:43:04 -07:00
page_vma_mapped.c
mm: make page_mapped_in_vma conditional on CONFIG_MEMORY_FAILURE
2024-05-05 17:53:45 -07:00
page-writeback.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
pagewalk.c
mm: pagewalk: assert write mmap lock only for walking the user page tables
2023-12-10 16:51:53 -08:00
percpu-internal.h
mm: percpu: add codetag reference into pcpuobj_ext
2024-04-25 20:55:56 -07:00
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu: clean up all mappings when pcpu_map_pages() fails
2024-04-25 20:55:49 -07:00
percpu.c
mm: percpu: enable per-cpu allocation tagging
2024-04-25 20:55:56 -07:00
pgalloc-track.h
pgtable-generic.c
mm: fix race between __split_huge_pmd_locked() and GUP-fast
2024-05-07 10:37:00 -07:00
process_vm_access.c
mm: fix process_vm_rw page counts
2023-12-10 16:51:39 -08:00
ptdump.c
mm: ptdump: add check_wx_pages debugfs attribute
2024-02-22 10:24:47 -08:00
readahead.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
rmap.c
mm: do not update memcg stats for NR_{FILE/SHMEM}_PMDMAPPED
2024-05-11 15:41:35 -07:00
rodata_test.c
secretmem.c
mm/secretmem: use a folio in secretmem_fault()
2023-08-21 13:38:02 -07:00
shmem_quota.c
tmpfs: fix race on handling dquot rbtree
2024-03-26 11:07:23 -07:00
shmem.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
show_mem.c
lib: add memory allocations report in show_mem()
2024-04-25 20:55:57 -07:00
shrinker_debug.c
mm: shrinker: convert shrinker_rwsem to mutex
2023-10-04 10:32:26 -07:00
shrinker.c
mm: shrinker: use kvzalloc_node() from expand_one_shrinker_info()
2024-01-05 09:58:32 -08:00
shuffle.c
shuffle.h
mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER
2024-01-08 15:27:15 -08:00
slab_common.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
slab.h
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
slub.c
codetag: avoid race at alloc_slab_obj_exts
2024-06-05 19:19:26 -07:00
sparse-vmemmap.c
sparse.c
mm/sparse: guard the size of mem_section is power of 2
2024-05-05 17:53:40 -07:00
swap_cgroup.c
swap_slots.c
mm: swap: update get_swap_pages() to take folio order
2024-04-25 20:56:37 -07:00
swap_state.c
mm: remove struct page from get_shadow_from_swap_cache
2024-04-25 20:56:40 -07:00
swap.c
mm: add kernel-doc for folio_mark_accessed()
2024-05-05 17:53:50 -07:00
swap.h
mm/swap: fix race when skipping swapcache
2024-02-20 14:20:48 -08:00
swapfile.c
getting rid of bogus set_blocksize() uses, switching it
2024-05-21 08:34:51 -07:00
truncate.c
mm: convert pagecache_isize_extended to use a folio
2024-04-25 20:56:43 -07:00
usercopy.c
userfaultfd.c
The usual shower of singleton fixes and minor series all over MM,
2024-05-19 09:21:03 -07:00
util.c
mm: fix xyz_noprof functions calling profiled functions
2024-06-05 19:19:26 -07:00
vmalloc.c
vmalloc: check CONFIG_EXECMEM in is_vmalloc_or_module_addr()
2024-06-05 19:19:25 -07:00
vmpressure.c
eventfd: simplify eventfd_signal()
2023-11-28 14:08:38 +01:00
vmscan.c
mm: drop the 'anon_' prefix for swap-out mTHP counters
2024-06-05 19:19:23 -07:00
vmstat.c
iommu: observability of the IOMMU allocations
2024-04-15 14:31:47 +02:00
workingset.c
mm: cleanup WORKINGSET_NODES in workingset
2024-05-07 10:36:59 -07:00
z3fold.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zbud.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zpool.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zsmalloc.c
mm: zpool: return pool size in pages
2024-04-25 20:55:48 -07:00
zswap.c
mm: zswap: remove same_filled module params
2024-05-05 17:53:38 -07:00