[PATCH 1/5] thp, mm: split_huge_page(): caller need to lock page

Tue Apr 2 14:52:58 UTC 2019

From: "Kirill A. Shutemov" <kirill.shutemov at linux.intel.com>

We're going to use migration entries instead of compound_lock() to
stabilize page refcounts.  Setup and remove migration entries require
page to be locked.

Some of split_huge_page() callers already have the page locked.  Let's
require everybody to lock the page before calling split_huge_page().

Signed-off-by: Kirill A. Shutemov <kirill.shutemov at linux.intel.com>
Tested-by: Sasha Levin <sasha.levin at oracle.com>
Tested-by: Aneesh Kumar K.V <aneesh.kumar at linux.vnet.ibm.com>
Acked-by: Vlastimil Babka <vbabka at suse.cz>
Acked-by: Jerome Marchand <jmarchan at redhat.com>
Cc: Andrea Arcangeli <aarcange at redhat.com>
Cc: Hugh Dickins <hughd at google.com>
Cc: Dave Hansen <dave.hansen at intel.com>
Cc: Mel Gorman <mgorman at suse.de>
Cc: Rik van Riel <riel at redhat.com>
Cc: Naoya Horiguchi <n-horiguchi at ah.jp.nec.com>
Cc: Steve Capper <steve.capper at linaro.org>
Cc: Johannes Weiner <hannes at cmpxchg.org>
Cc: Michal Hocko <mhocko at suse.cz>
Cc: Christoph Lameter <cl at linux.com>
Cc: David Rientjes <rientjes at google.com>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>

CVE-2019-10124

(cherry-picked from commit 4d2fa965483f4c39bd097ff9bbf3efe62d4cf367)
Signed-off-by: Andrea Righi <andrea.righi at canonical.com>
---
 mm/memory-failure.c | 8 +++++++-
 mm/migrate.c        | 8 ++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 92a647957f91..6de1daa1fcc7 100644
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1156,7 +1156,9 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
 	}
 
 	if (!PageHuge(p) && PageTransHuge(hpage)) {
+		lock_page(hpage);
 		if (!PageAnon(hpage) || unlikely(split_huge_page(hpage))) {
+			unlock_page(hpage);
 			if (!PageAnon(hpage))
 				pr_err("MCE: %#lx: non anonymous thp\n", pfn);
 			else
@@ -1166,6 +1168,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
 			put_hwpoison_page(p);
 			return -EBUSY;
 		}
+		unlock_page(hpage);
 		VM_BUG_ON_PAGE(!page_count(p), p);
 		hpage = compound_head(p);
 	}
@@ -1757,7 +1760,10 @@ int soft_offline_page(struct page *page, int flags)
 		return -EBUSY;
 	}
 	if (!PageHuge(page) && PageTransHuge(hpage)) {
-		if (PageAnon(hpage) && unlikely(split_huge_page(hpage))) {
+		lock_page(page);
+		ret = split_huge_page(hpage);
+		unlock_page(page);
+		if (unlikely(ret)) {
 			pr_info("soft offline: %#lx: failed to split THP\n",
 				pfn);
 			if (flags & MF_COUNT_INCREASED)
diff --git a/mm/migrate.c b/mm/migrate.c
index 73da75d5e5b2..8f1c69e0cb70 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -947,9 +947,13 @@ static ICE_noinline int unmap_and_move(new_page_t get_new_page,
 		goto out;
 	}
 
-	if (unlikely(PageTransHuge(page)))
-		if (unlikely(split_huge_page(page)))
+	if (unlikely(PageTransHuge(page))) {
+		lock_page(page);
+		rc = split_huge_page(page);
+		unlock_page(page);
+		if (rc)
 			goto out;
+	}
 
 	rc = __unmap_and_move(page, newpage, force, mode);
 	if (rc == MIGRATEPAGE_SUCCESS)
-- 
2.19.1


