userfaultfd: shmem: add i_size checks
commit e2a50c1f64145a04959df2442305d57307e5395a upstream.
With MAP_SHARED: recheck the i_size after taking the PT lock, to
serialize against truncate with the PT lock. Delete the page from the
pagecache if the i_size_read check fails.
With MAP_PRIVATE: check the i_size after the PT lock before mapping
anonymous memory or zeropages into the MAP_PRIVATE shmem mapping.
A mostly irrelevant cleanup: like we do the delete_from_page_cache()
pagecache removal after dropping the PT lock, the PT lock is a spinlock
so drop it before the sleepable page lock.
Link: http://lkml.kernel.org/r/20181126173452.26955-5-aarcange@redhat.com
Fixes: 4c27fe4c4c
("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Hugh Dickins <hughd@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: <stable@vger.kernel.org>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
6e44dd02c9
commit
4ce337622f
2 changed files with 40 additions and 4 deletions
18
mm/shmem.c
18
mm/shmem.c
|
@ -2264,6 +2264,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
|
|||
struct page *page;
|
||||
pte_t _dst_pte, *dst_pte;
|
||||
int ret;
|
||||
pgoff_t offset, max_off;
|
||||
|
||||
ret = -ENOMEM;
|
||||
if (!shmem_inode_acct_block(inode, 1))
|
||||
|
@ -2301,6 +2302,12 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
|
|||
__SetPageSwapBacked(page);
|
||||
__SetPageUptodate(page);
|
||||
|
||||
ret = -EFAULT;
|
||||
offset = linear_page_index(dst_vma, dst_addr);
|
||||
max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
|
||||
if (unlikely(offset >= max_off))
|
||||
goto out_release;
|
||||
|
||||
ret = mem_cgroup_try_charge_delay(page, dst_mm, gfp, &memcg, false);
|
||||
if (ret)
|
||||
goto out_release;
|
||||
|
@ -2319,8 +2326,14 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
|
|||
if (dst_vma->vm_flags & VM_WRITE)
|
||||
_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
|
||||
|
||||
ret = -EEXIST;
|
||||
dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
|
||||
|
||||
ret = -EFAULT;
|
||||
max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
|
||||
if (unlikely(offset >= max_off))
|
||||
goto out_release_uncharge_unlock;
|
||||
|
||||
ret = -EEXIST;
|
||||
if (!pte_none(*dst_pte))
|
||||
goto out_release_uncharge_unlock;
|
||||
|
||||
|
@ -2338,13 +2351,14 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
|
|||
|
||||
/* No need to invalidate - it was non-present before */
|
||||
update_mmu_cache(dst_vma, dst_addr, dst_pte);
|
||||
unlock_page(page);
|
||||
pte_unmap_unlock(dst_pte, ptl);
|
||||
unlock_page(page);
|
||||
ret = 0;
|
||||
out:
|
||||
return ret;
|
||||
out_release_uncharge_unlock:
|
||||
pte_unmap_unlock(dst_pte, ptl);
|
||||
delete_from_page_cache(page);
|
||||
out_release_uncharge:
|
||||
mem_cgroup_cancel_charge(page, memcg, false);
|
||||
out_release:
|
||||
|
|
|
@ -33,6 +33,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
|
|||
void *page_kaddr;
|
||||
int ret;
|
||||
struct page *page;
|
||||
pgoff_t offset, max_off;
|
||||
struct inode *inode;
|
||||
|
||||
if (!*pagep) {
|
||||
ret = -ENOMEM;
|
||||
|
@ -73,8 +75,17 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
|
|||
if (dst_vma->vm_flags & VM_WRITE)
|
||||
_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));
|
||||
|
||||
ret = -EEXIST;
|
||||
dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
|
||||
if (dst_vma->vm_file) {
|
||||
/* the shmem MAP_PRIVATE case requires checking the i_size */
|
||||
inode = dst_vma->vm_file->f_inode;
|
||||
offset = linear_page_index(dst_vma, dst_addr);
|
||||
max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
|
||||
ret = -EFAULT;
|
||||
if (unlikely(offset >= max_off))
|
||||
goto out_release_uncharge_unlock;
|
||||
}
|
||||
ret = -EEXIST;
|
||||
if (!pte_none(*dst_pte))
|
||||
goto out_release_uncharge_unlock;
|
||||
|
||||
|
@ -108,11 +119,22 @@ static int mfill_zeropage_pte(struct mm_struct *dst_mm,
|
|||
pte_t _dst_pte, *dst_pte;
|
||||
spinlock_t *ptl;
|
||||
int ret;
|
||||
pgoff_t offset, max_off;
|
||||
struct inode *inode;
|
||||
|
||||
_dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr),
|
||||
dst_vma->vm_page_prot));
|
||||
ret = -EEXIST;
|
||||
dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
|
||||
if (dst_vma->vm_file) {
|
||||
/* the shmem MAP_PRIVATE case requires checking the i_size */
|
||||
inode = dst_vma->vm_file->f_inode;
|
||||
offset = linear_page_index(dst_vma, dst_addr);
|
||||
max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
|
||||
ret = -EFAULT;
|
||||
if (unlikely(offset >= max_off))
|
||||
goto out_unlock;
|
||||
}
|
||||
ret = -EEXIST;
|
||||
if (!pte_none(*dst_pte))
|
||||
goto out_unlock;
|
||||
set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);
|
||||
|
|
Loading…
Reference in a new issue