search for: tlb_finish_mmu

...pin_unlock_irqrestore+0xe/0xf [354008.101031] [<ffffffff810be895>] ? release_pages+0xf4/0x14d [354008.101038] [<ffffffff810de78b>] ? free_pages_and_swap_cache+0x48/0x60 [354008.101045] [<ffffffff810cf527>] ? tlb_flush_mmu+0x37/0x50 [354008.101049] [<ffffffff810cf54c>] ? tlb_finish_mmu+0xc/0x31 [354008.101054] [<ffffffff810d5e79>] ? exit_mmap+0xc4/0xe9 [354008.101060] [<ffffffff81044b82>] ? mmput+0x56/0xf8 [354008.101064] [<ffffffff81049d07>] ? exit_mm+0x117/0x122 [354008.101069] [<ffffffff8107115b>] ? arch_local_irq_disable+0x7/0x8 [354008.101074] [&...

.../0xf > [354008.101031] [<ffffffff810be895>] ? release_pages+0xf4/0x14d > [354008.101038] [<ffffffff810de78b>] ? > free_pages_and_swap_cache+0x48/0x60 > [354008.101045] [<ffffffff810cf527>] ? tlb_flush_mmu+0x37/0x50 > [354008.101049] [<ffffffff810cf54c>] ? tlb_finish_mmu+0xc/0x31 > [354008.101054] [<ffffffff810d5e79>] ? exit_mmap+0xc4/0xe9 > [354008.101060] [<ffffffff81044b82>] ? mmput+0x56/0xf8 > [354008.101064] [<ffffffff81049d07>] ? exit_mm+0x117/0x122 > [354008.101069] [<ffffffff8107115b>] ? arch_local_irq_disable+0x7/0x8...

...h matter how to recover from a broken driver, but since we did the WARN_ON this should sanitize the ret to EAGAIN or 0 Humm. Actually having looked this some more, I wonder if this is a problem: I see in __oom_reap_task_mm(): if (mmu_notifier_invalidate_range_start_nonblock(&range)) { tlb_finish_mmu(&tlb, range.start, range.end); ret = false; continue; } unmap_page_range(&tlb, vma, range.start, range.end, NULL); mmu_notifier_invalidate_range_end(&range); Which looks like it creates an unbalanced start/end pairing if any start returns EAGAIN? This does not seem OK...

...to the vhost subsystem, please let me know, > and if possible forward the report to the correct people or mailing list. > > Here are the bugs: > > -------------------------------------------------------------------------------- > Title: KASAN: use-after-free Write in tlb_finish_mmu > Last occurred: 5 days ago > Reported: 4 days ago > Branches: Mainline > Dashboard link: https://syzkaller.appspot.com/bug?id=d57b94f89e48c85ef7d95acc208209ea4bdc10de > Original thread: https://lkml.kernel.org/lkml/00000000000045e7a1058e02458a at goog...

...but since we > did the WARN_ON this should sanitize the ret to EAGAIN or 0 > > Humm. Actually having looked this some more, I wonder if this is a > problem: > > I see in __oom_reap_task_mm(): > > if (mmu_notifier_invalidate_range_start_nonblock(&range)) { > tlb_finish_mmu(&tlb, range.start, range.end); > ret = false; > continue; > } > unmap_page_range(&tlb, vma, range.start, range.end, NULL); > mmu_notifier_invalidate_range_end(&range); > > Which looks like it creates an unbalanced start/end pairing if any > star...

...should sanitize the ret to EAGAIN or 0 > > > > Humm. Actually having looked this some more, I wonder if this is a > > problem: > > > > I see in __oom_reap_task_mm(): > > > > if (mmu_notifier_invalidate_range_start_nonblock(&range)) { > > tlb_finish_mmu(&tlb, range.start, range.end); > > ret = false; > > continue; > > } > > unmap_page_range(&tlb, vma, range.start, range.end, NULL); > > mmu_notifier_invalidate_range_end(&range); > > > > Which looks like it creates an unbalanced...

The hmm_mirror_ops callback function sync_cpu_device_pagetables() passes a struct hmm_update which is a simplified version of struct mmu_notifier_range. This is unnecessary so replace hmm_update with mmu_notifier_range directly. Signed-off-by: Ralph Campbell <rcampbell at nvidia.com> Cc: "Jérôme Glisse" <jglisse at redhat.com> Cc: Jason Gunthorpe <jgg at mellanox.com>

Greetings, I got the below dmesg and the first bad commit is commit cf39c8e5352b4fb9efedfe7e9acb566a85ed847c Merge: 3398d25 23b7eaf Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Wed Sep 4 17:45:39 2013 -0700 Merge tag ''stable/for-linus-3.12-rc0-tag'' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull Xen updates from Konrad