linux/arch/arm64/include/asm
Will Deacon f069faba68 arm64: mm: Use READ_ONCE when dereferencing pointer to pte table
On kernels built with support for transparent huge pages, different CPUs
can access the PMD concurrently due to e.g. fast GUP or page_vma_mapped_walk
and they must take care to use READ_ONCE to avoid value tearing or caching
of stale values by the compiler. Unfortunately, these functions call into
our pgtable macros, which don't use READ_ONCE, and compiler caching has
been observed to cause the following crash during ext4 writeback:

PC is at check_pte+0x20/0x170
LR is at page_vma_mapped_walk+0x2e0/0x540
[...]
Process doio (pid: 2463, stack limit = 0xffff00000f2e8000)
Call trace:
[<ffff000008233328>] check_pte+0x20/0x170
[<ffff000008233758>] page_vma_mapped_walk+0x2e0/0x540
[<ffff000008234adc>] page_mkclean_one+0xac/0x278
[<ffff000008234d98>] rmap_walk_file+0xf0/0x238
[<ffff000008236e74>] rmap_walk+0x64/0xa0
[<ffff0000082370c8>] page_mkclean+0x90/0xa8
[<ffff0000081f3c64>] clear_page_dirty_for_io+0x84/0x2a8
[<ffff00000832f984>] mpage_submit_page+0x34/0x98
[<ffff00000832fb4c>] mpage_process_page_bufs+0x164/0x170
[<ffff00000832fc8c>] mpage_prepare_extent_to_map+0x134/0x2b8
[<ffff00000833530c>] ext4_writepages+0x484/0xe30
[<ffff0000081f6ab4>] do_writepages+0x44/0xe8
[<ffff0000081e5bd4>] __filemap_fdatawrite_range+0xbc/0x110
[<ffff0000081e5e68>] file_write_and_wait_range+0x48/0xd8
[<ffff000008324310>] ext4_sync_file+0x80/0x4b8
[<ffff0000082bd434>] vfs_fsync_range+0x64/0xc0
[<ffff0000082332b4>] SyS_msync+0x194/0x1e8

This is because page_vma_mapped_walk loads the PMD twice before calling
pte_offset_map: the first time without READ_ONCE (where it gets all zeroes
due to a concurrent pmdp_invalidate) and the second time with READ_ONCE
(where it sees a valid table pointer due to a concurrent pmd_populate).
However, the compiler inlines everything and caches the first value in
a register, which is subsequently used in pte_offset_phys which returns
a junk pointer that is later dereferenced when attempting to access the
relevant pte.

This patch fixes the issue by using READ_ONCE in pte_offset_phys to ensure
that a stale value is not used. Whilst this is a point fix for a known
failure (and simple to backport), a full fix moving all of our page table
accessors over to {READ,WRITE}_ONCE and consistently using READ_ONCE in
page_vma_mapped_walk is in the works for a future kernel release.

Cc: Jon Masters <jcm@redhat.com>
Cc: Timur Tabi <timur@codeaurora.org>
Cc: <stable@vger.kernel.org>
Fixes: f27176cfc3 ("mm: convert page_mkclean_one() to use page_vma_mapped_walk()")
Tested-by: Richard Ruigrok <rruigrok@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2017-09-29 16:46:43 +01:00
..
xen arm/arm64: xen: Move shared architecture headers to include/xen/arm 2016-12-02 11:49:55 -08:00
Kbuild arm64: neon: replace generic definition of may_use_simd() 2017-08-04 15:00:47 +01:00
acenv.h ARM64 / ACPI: Get RSDP and ACPI boot-time tables 2015-03-25 11:49:30 +00:00
acpi.h ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation 2017-06-02 15:13:52 +01:00
alternative.h arm64: Fix circular include of asm/lse.h through linux/jump_label.h 2016-11-05 20:59:06 +00:00
arch_gicv3.h irqchip/gic-v3-its: Add VPE interrupt masking 2017-08-31 15:31:38 +01:00
arch_timer.h clocksource/drivers/arm_arch_timer: Avoid infinite recursion when ftrace is enabled 2017-08-11 16:01:43 +02:00
arm-cci.h arm-cci: Get rid of secure transactions for PMU driver 2015-03-27 13:44:35 +00:00
asm-bug.h arm64: Add ASM_BUG() 2017-08-08 16:28:13 +01:00
asm-offsets.h
asm-uaccess.h arm64: entry: improve data abort handling of tagged pointers 2017-05-09 17:26:59 +01:00
assembler.h Merge branch 'arm64/vmap-stack' of git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux into for-next/core 2017-08-15 18:40:58 +01:00
atomic.h locking/atomic: Remove linux/atomic.h:atomic_fetch_or() 2016-06-16 10:48:32 +02:00
atomic_ll_sc.h arm64: Remove redundant mov from LL/SC cmpxchg 2017-05-15 18:30:10 +01:00
atomic_lse.h arm64: atomics: Remove '&' from '+&' asm constraint in lse atomics 2017-07-20 10:20:54 +01:00
barrier.h arm64: ensure extension of smp_store_release value 2017-05-09 17:45:04 +01:00
bitops.h
bitrev.h ARM: 8189/1: arm64:add bitrev.h file to support rbit instruction 2014-12-22 16:47:32 +00:00
boot.h arm64: allow kernel Image to be loaded anywhere in physical memory 2016-02-18 18:16:53 +00:00
brk-imm.h arm64: move brk immediate argument definitions to separate header 2016-02-23 17:43:25 +00:00
bug.h arm64: Add ASM_BUG() 2017-08-08 16:28:13 +01:00
cache.h arm64: cache: Identify VPIPT I-caches 2017-03-20 16:17:02 +00:00
cacheflush.h arm64: Implement pmem API support 2017-08-09 12:15:45 +01:00
checksum.h arm64: add missing conversion to __wsum in ip_fast_csum() 2017-06-29 16:32:43 +01:00
clocksource.h arm/arm64: arch_timer: Use archdata to indicate vdso suitability 2016-09-23 17:19:25 +01:00
cmpxchg.h arm64: xchg: hazard against entire exchange variable 2017-05-09 17:44:50 +01:00
compat.h sched/headers: Prepare for new header dependencies before moving code to <linux/sched/task_stack.h> 2017-03-02 08:42:36 +01:00
compiler.h
cpu.h arm64: cpuinfo: Expose MIDR_EL1 and REVIDR_EL1 to sysfs 2016-07-12 16:09:37 +01:00
cpu_ops.h ARM64: kernel: unify ACPI and DT cpus initialization 2015-05-19 16:09:29 +01:00
cpucaps.h arm64: Implement pmem API support 2017-08-09 12:15:45 +01:00
cpufeature.h arm64/cpufeature: don't use mutex in bringup path 2017-05-17 17:00:29 +01:00
cpuidle.h arm64: kernel: rename __cpu_suspend to keep it aligned with arm 2015-06-19 14:46:39 +01:00
cputype.h arm64: Add MIDR values for Cavium cn83XX SoCs 2017-06-15 09:45:04 +01:00
current.h arm64: remove redundant header file in current.h 2017-03-30 19:15:37 +01:00
dcc.h arm64: dcc: simplify accessors 2016-09-09 11:41:13 +01:00
debug-monitors.h arm64: Add uprobe support 2016-11-07 18:15:21 +00:00
device.h xen/arm,arm64: fix xen_dma_ops after 815dd18 "Consolidate get_dma_ops..." 2017-05-02 11:14:42 +02:00
dma-mapping.h This is the first pull request for the new dma-mapping subsystem 2017-07-06 19:20:54 -07:00
dmi.h arm64: dmi: Add SMBIOS/DMI support 2014-11-05 09:03:25 +01:00
efi.h Merge branch 'efi-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-07 09:42:35 -07:00
elf.h arm64 updates for 4.14: 2017-09-05 09:53:37 -07:00
esr.h arm64: Handle trapped DC CVAP 2017-08-09 11:00:43 +01:00
exception.h arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections 2016-03-25 16:37:42 -07:00
exec.h arm64: suspend: Reconfigure PSTATE after resume from idle 2016-10-20 09:50:54 +01:00
extable.h arm64: add extable.h 2017-03-28 18:23:23 -04:00
fb.h
fixmap.h arm64: Remove fixmap include fragility 2016-02-26 15:22:53 +00:00
fpsimd.h arm64: neon: Remove support for nested or hardirq kernel-mode NEON 2017-08-04 15:00:57 +01:00
fpsimdmacros.h arm64: neon: Remove support for nested or hardirq kernel-mode NEON 2017-08-04 15:00:57 +01:00
ftrace.h arm64: Fix misspellings in comments. 2016-03-04 18:19:17 +00:00
futex.h futex: Remove duplicated code and fix undefined behaviour 2017-08-25 22:49:59 +02:00
hardirq.h arm64: kdump: implement machine_crash_shutdown() 2017-04-05 18:29:15 +01:00
hugetlb.h arm64: hugetlb: Override set_huge_swap_pte_at() to support contiguous hugepages 2017-08-22 17:47:11 +01:00
hw_breakpoint.h arm64: cpufeature: Make ID reg accessor naming less counterintuitive 2017-04-04 16:55:41 +01:00
hwcap.h arm64/HWCAP: Use system wide safe values 2015-10-21 15:35:58 +01:00
hypervisor.h
insn.h arm64: Prevent cpu hotplug rwsem recursion 2017-05-26 10:10:45 +02:00
io.h ARM64: Implement pci_remap_cfgspace() interface 2017-04-24 13:53:13 -05:00
irq.h arm64: clean up irq stack definitions 2017-08-15 18:35:14 +01:00
irq_work.h arm64: force CONFIG_SMP=y and remove redundant #ifdefs 2015-07-27 11:08:40 +01:00
irqflags.h arm64: debug: remove unused local_dbg_{enable, disable} macros 2016-07-19 16:59:40 +01:00
jump_label.h locking/static_keys: Add a new static_key interface 2015-08-03 11:34:15 +02:00
kasan.h arm64: move kernel image to base of vmalloc area 2016-02-18 18:16:44 +00:00
kernel-pgtable.h arm64: Introduce uaccess_{disable,enable} functionality based on TTBR0_EL1 2016-11-21 18:48:53 +00:00
kexec.h arm64: kdump: implement machine_crash_shutdown() 2017-04-05 18:29:15 +01:00
kgdb.h arm64: kgdb: Match pstate size with gdbserver protocol 2016-06-16 19:20:51 +01:00
kprobes.h kprobes: move kprobe declarations to asm-generic/kprobes.h 2017-02-27 18:43:45 -08:00
kvm_arm.h arm/arm64: KVM: add guest SEA support 2017-06-22 18:22:05 +01:00
kvm_asm.h arm64: KVM: Convert __cpu_reset_hyp_mode to using __hyp_reset_vectors 2017-04-09 07:49:22 -07:00
kvm_coproc.h
kvm_emulate.h KVM: arm/arm64: Fix guest external abort matching 2017-09-05 17:33:37 +02:00
kvm_host.h KVM: update to new mmu_notifier semantic v2 2017-08-31 16:13:00 -07:00
kvm_hyp.h KVM: arm64: vgic-v3: Add hook to handle guest GICv3 sysreg accesses at EL2 2017-06-15 09:44:59 +01:00
kvm_mmio.h KVM: arm/arm64: Export mmio_read/write_bus 2016-05-20 15:39:42 +02:00
kvm_mmu.h kvm: arm64: Convert kvm_set_s2pte_readonly() from inline asm to cmpxchg() 2017-08-21 11:12:39 +01:00
kvm_psci.h
linkage.h arm64: relax assembly code alignment from 16 byte to 4 byte 2017-09-18 11:20:19 +01:00
lse.h arm64: do not trace atomic operations 2017-02-06 19:00:23 +00:00
memblock.h
memory.h Merge branch 'arm64/vmap-stack' of git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux into for-next/core 2017-08-15 18:40:58 +01:00
mmu.h arm64: introduce separated bits for mm_context_t flags 2017-08-22 18:13:04 +01:00
mmu_context.h sched/headers: Prepare to remove the <linux/mm_types.h> dependency from <linux/sched.h> 2017-03-02 08:42:37 +01:00
mmzone.h arm64, numa: Add NUMA support for arm64 platforms. 2016-04-15 18:06:09 +01:00
module.h arm64: ftrace: add support for far branches to dynamic ftrace 2017-06-07 11:52:02 +01:00
neon.h arm64: neon: Temporarily add a kernel_mode_begin_partial() definition 2017-08-04 15:10:12 +01:00
numa.h arm64: numa: Remove the unused parent_node() macro 2017-08-15 14:37:45 +01:00
page-def.h arm64: factor out PAGE_* and CONT_* definitions 2017-08-15 18:35:00 +01:00
page.h arm64: factor out PAGE_* and CONT_* definitions 2017-08-15 18:35:00 +01:00
paravirt.h arm64: introduce CONFIG_PARAVIRT, PARAVIRT_TIME_ACCOUNTING and pv_time_ops 2015-12-21 14:40:54 +00:00
pci.h PCI: Add pci_mmap_resource_range() and use it for ARM64 2017-04-20 08:47:47 -05:00
percpu.h arm64: factor out current_stack_pointer 2016-11-11 18:25:43 +00:00
perf_event.h arm64 updates for 4.10: 2016-12-13 16:39:21 -08:00
pgalloc.h arm64: get rid of superfluous __GFP_REPEAT 2016-06-24 17:23:52 -07:00
pgtable-hwdef.h arm64: simplify sysreg manipulation 2016-09-09 11:43:50 +01:00
pgtable-prot.h arm64: Move PTE_RDONLY bit handling out of set_pte_at() 2017-08-21 11:12:50 +01:00
pgtable-types.h arch, mm: convert all architectures to use 5level-fixup.h 2017-03-09 11:48:47 -08:00
pgtable.h arm64: mm: Use READ_ONCE when dereferencing pointer to pte table 2017-09-29 16:46:43 +01:00
probes.h arm64: Remove reference to asm/opcodes.h 2016-12-05 10:42:34 +00:00
proc-fns.h arm64: kill flush_cache_all() 2015-05-19 15:27:42 +01:00
processor.h Merge branch 'arm64/vmap-stack' of git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux into for-next/core 2017-08-15 18:40:58 +01:00
ptdump.h arm64: dump: Add checking for writable and exectuable pages 2016-11-07 18:15:04 +00:00
ptrace.h Merge branch 'arm64/exception-stack' of git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux into for-next/core 2017-08-09 15:37:49 +01:00
seccomp.h arm64: add seccomp support 2014-11-28 10:24:59 +00:00
sections.h arm64: mmu: apply strict permissions to .init.text and .init.data 2017-03-23 13:54:50 +00:00
shmparam.h arm64: fix COMPAT_SHMLBA definition for large pages 2015-12-02 14:00:10 +00:00
signal32.h arm64: compat: Remove leftover variable declaration 2017-08-10 18:17:32 +01:00
simd.h arm64: neon: Forbid when irqs are disabled 2017-08-09 15:05:59 +01:00
smp.h arm64: kexec: have own crash_smp_send_stop() for crash dump for nonpanic cores 2017-08-21 18:01:04 +01:00
smp_plat.h arm64: remove dead-code depending on CONFIG_UP_LATE_INIT 2015-07-29 18:32:09 +01:00
sparsemem.h
spinlock.h Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 11:52:29 -07:00
spinlock_types.h arm64: include linux/types.h in asm/spinlock_types.h 2015-07-27 11:09:34 +01:00
stack_pointer.h arm64: factor out current_stack_pointer 2016-11-11 18:25:43 +00:00
stackprotector.h arm64: ascii armor the arm64 boot init stack canary 2017-07-12 16:26:03 -07:00
stacktrace.h arm64: add VMAP_STACK overflow detection 2017-08-15 18:36:18 +01:00
stage2_pgtable-nopmd.h kvm: arm64: Get rid of fake page table levels 2016-04-21 14:58:21 +02:00
stage2_pgtable-nopud.h kvm: arm64: Get rid of fake page table levels 2016-04-21 14:58:21 +02:00
stage2_pgtable.h kvm: arm64: Get rid of fake page table levels 2016-04-21 14:58:21 +02:00
stat.h
string.h arm64: uaccess: Implement *_flushcache variants 2017-08-09 12:16:26 +01:00
suspend.h arm64: move sp_el0 and tpidr_el1 into cpu_suspend_ctx 2016-11-11 18:25:44 +00:00
sync_bitops.h
syscall.h
sysreg.h arm64: Expose DC CVAP to userspace 2017-08-09 11:00:35 +01:00
system_misc.h Merge branch 'aarch64/for-next/ras-apei' into aarch64/for-next/core 2017-06-26 10:54:27 +01:00
thread_info.h arm64 updates for 4.14: 2017-09-05 09:53:37 -07:00
timex.h
tlb.h arm64: tlbflush: avoid flushing when fullmm == 1 2015-10-07 11:56:21 +01:00
tlbflush.h arm64: Work around Falkor erratum 1009 2017-02-01 15:41:50 +00:00
topology.h arm64, numa: Add NUMA support for arm64 platforms. 2016-04-15 18:06:09 +01:00
traps.h arm64 updates for 4.14: 2017-09-05 09:53:37 -07:00
uaccess.h arm64 updates for 4.14: 2017-09-05 09:53:37 -07:00
unistd.h Remove compat_sys_getdents64() 2017-04-17 12:52:22 -04:00
unistd32.h Remove compat_sys_getdents64() 2017-04-17 12:52:22 -04:00
uprobes.h arm64: Add uprobe support 2016-11-07 18:15:21 +00:00
vdso.h
vdso_datapage.h arm64: Add support for CLOCK_MONOTONIC_RAW in clock_gettime() vDSO 2016-07-12 16:06:32 +01:00
virt.h arm64: hyp-stub/KVM: Kill __hyp_get_vectors 2017-04-09 07:49:34 -07:00
word-at-a-time.h Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00