ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

PlaidCat · PlaidCat · commit 2eaff6495fa7 · 2024-10-03T18:03:40.000-04:00
jira LE-1907 cve CVE-2024-26947 Rebuild_History Non-Buildable kernel-5.14.0-427.37.1.el9_4 commit-author Yongqiang Liu <liuyongqiang13@huawei.com> commit 0c66c6f Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/0c66c6f4.failed Since commit a4d5613 ("arm: extend pfn_valid to take into account freed memory map alignment") changes the semantics of pfn_valid() to check presence of the memory map for a PFN. A valid page for an address which is reserved but not mapped by the kernel[1], the system crashed during some uio test with the following memory layout: node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff] node 0: [mem 0x00000000d0000000-0x00000000da1fffff] the uio layout is：0xc0900000, 0x100000 the crash backtrace like: Unable to handle kernel paging request at virtual address bff00000 [...] CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1 Hardware name: Generic DT based system PC is at b15_flush_kern_dcache_area+0x24/0x3c LR is at __sync_icache_dcache+0x6c/0x98 [...] (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98) (__sync_icache_dcache) from (set_pte_at+0x28/0x54) (set_pte_at) from (remap_pfn_range+0x1a0/0x274) (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio]) (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4) (__mmap_region) from (__do_mmap_mm+0x3ec/0x440) (__do_mmap_mm) from (do_mmap+0x50/0x58) (do_mmap) from (vm_mmap_pgoff+0xfc/0x188) (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4) (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c) Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e) ---[ end trace 09cf0734c3805d52 ]--- Kernel panic - not syncing: Fatal exception So check if PG_reserved was set to solve this issue. [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/ Fixes: a4d5613 ("arm: extend pfn_valid to take into account freed memory map alignment") Suggested-by: Mike Rapoport <rppt@linux.ibm.com> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com> Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> (cherry picked from commit 0c66c6f) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # arch/arm/mm/flush.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/0c66c6f4.failed b/ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/0c66c6f4.failed
@@ -0,0 +1,80 @@
+ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses
+
+jira LE-1907
+cve CVE-2024-26947
+Rebuild_History Non-Buildable kernel-5.14.0-427.37.1.el9_4
+commit-author Yongqiang Liu <liuyongqiang13@huawei.com>
+commit 0c66c6f4e21cb22220cbd8821c5c73fc157d20dc
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-427.37.1.el9_4/0c66c6f4.failed
+
+Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account
+freed memory map alignment") changes the semantics of pfn_valid() to check
+presence of the memory map for a PFN. A valid page for an address which
+is reserved but not mapped by the kernel[1], the system crashed during
+some uio test with the following memory layout:
+
+ node   0: [mem 0x00000000c0a00000-0x00000000cc8fffff]
+ node   0: [mem 0x00000000d0000000-0x00000000da1fffff]
+ the uio layout is：0xc0900000, 0x100000
+
+the crash backtrace like:
+
+  Unable to handle kernel paging request at virtual address bff00000
+  [...]
+  CPU: 1 PID: 465 Comm: startapp.bin Tainted: G           O      5.10.0 #1
+  Hardware name: Generic DT based system
+  PC is at b15_flush_kern_dcache_area+0x24/0x3c
+  LR is at __sync_icache_dcache+0x6c/0x98
+  [...]
+   (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)
+   (__sync_icache_dcache) from (set_pte_at+0x28/0x54)
+   (set_pte_at) from (remap_pfn_range+0x1a0/0x274)
+   (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])
+   (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)
+   (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)
+   (__do_mmap_mm) from (do_mmap+0x50/0x58)
+   (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)
+   (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)
+   (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)
+  Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)
+  ---[ end trace 09cf0734c3805d52 ]---
+  Kernel panic - not syncing: Fatal exception
+
+So check if PG_reserved was set to solve this issue.
+
+[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/
+
+Fixes: a4d5613c4dc6 ("arm: extend pfn_valid to take into account freed memory map alignment")
+	Suggested-by: Mike Rapoport <rppt@linux.ibm.com>
+	Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
+	Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+(cherry picked from commit 0c66c6f4e21cb22220cbd8821c5c73fc157d20dc)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	arch/arm/mm/flush.c
+diff --cc arch/arm/mm/flush.c
+index 7ff9feea13a6,0749cf8a6637..000000000000
+--- a/arch/arm/mm/flush.c
++++ b/arch/arm/mm/flush.c
+@@@ -279,9 -295,12 +279,16 @@@ void __sync_icache_dcache(pte_t pteval
+  	if (!pfn_valid(pfn))
+  		return;
+  
+++<<<<<<< HEAD
+ +	page = pfn_to_page(pfn);
+++=======
++ 	folio = page_folio(pfn_to_page(pfn));
++ 	if (folio_test_reserved(folio))
++ 		return;
++ 
+++>>>>>>> 0c66c6f4e21c (ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses)
+  	if (cache_is_vipt_aliasing())
+ -		mapping = folio_flush_mapping(folio);
+ +		mapping = page_mapping_file(page);
+  	else
+  		mapping = NULL;
+  
+* Unmerged path arch/arm/mm/flush.c
