Commit 39d282d5 authored by Qi Zheng's avatar Qi Zheng Committed by Lokesh Gidra
Browse files

BACKPORT: mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails 

After ptep_clear_flush(), if we find that src_folio is pinned we will fail
UFFDIO_MOVE and put src_folio back to src_pte entry, but the change to
src_folio->{mapping,index} is not restored in this process. This is not
what we expected, so fix it.

This can cause the rmap for that page to be invalid, possibly resulting
in memory corruption.  At least swapout+migration would no longer work,
because we might fail to locate the mappings of that folio.

Link: https://lkml.kernel.org/r/20240222080815.46291-1-zhengqi.arch@bytedance.com


Fixes: adef4406 ("userfaultfd: UFFDIO_MOVE uABI")
Signed-off-by: default avatarQi Zheng <zhengqi.arch@bytedance.com>
Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
Reviewed-by: default avatarSuren Baghdasaryan <surenb@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>

(cherry picked from commit d7a08838)
Conflicts:
	mm/userfaultfd.c

1. Replace folio_move_anon_rmap() with page_move_anon_rmap().

Bug: 274911254
Bug: 339845931
Signed-off-by: default avatarLokesh Gidra <lokeshgidra@google.com>
(cherry picked from https://android-review.googlesource.com/q/commit:bfb4b24b642e2776dbfa0720fc57239386f9234e)
Merged-In: Ie4bf5785244271ab233c6230ed71460fd571bd1a
Change-Id: Ie4bf5785244271ab233c6230ed71460fd571bd1a
parent 24b29ac4
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment