[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220210123058.79206-7-songmuchun@bytedance.com>
Date: Thu, 10 Feb 2022 20:30:57 +0800
From: Muchun Song <songmuchun@...edance.com>
To: akpm@...ux-foundation.org, zi.yan@...rutgers.edu,
kirill.shutemov@...ux.intel.com, rientjes@...gle.com,
lars.persson@...s.com, mike.kravetz@...cle.com, ziy@...dia.com
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
duanxiongchun@...edance.com, fam.zheng@...edance.com,
Muchun Song <songmuchun@...edance.com>
Subject: [PATCH v5 6/7] mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic()
The userfaultfd calls mcopy_atomic_pte() and __mcopy_atomic() which do not
do any cache flushing for the target page. Then the target page will be
mapped to the user space with a different address (user address), which might
have an alias issue with the kernel address used to copy the data from the
user to. Fix this by insert flush_dcache_page() after copy_from_user()
succeeds.
Fixes: b6ebaedb4cb1 ("userfaultfd: avoid mmap_sem read recursion in mcopy_atomic")
Fixes: c1a4de99fada ("userfaultfd: mcopy_atomic|mfill_zeropage: UFFDIO_COPY|UFFDIO_ZEROPAGE preparation")
Signed-off-by: Muchun Song <songmuchun@...edance.com>
---
mm/userfaultfd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 0780c2a57ff1..6ccc534d1c1c 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -150,6 +150,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
/* don't free the page */
goto out;
}
+
+ flush_dcache_page(page);
} else {
page = *pagep;
*pagep = NULL;
@@ -625,6 +627,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm,
err = -EFAULT;
goto out;
}
+ flush_dcache_page(page);
goto retry;
} else
BUG_ON(page);
--
2.11.0
Powered by blists - more mailing lists