diff options
| author | Lance Yang <[email protected]> | 2025-06-27 06:23:19 +0000 |
|---|---|---|
| committer | Andrew Morton <[email protected]> | 2025-07-10 04:07:53 +0000 |
| commit | ddd05742b45b083975a0855ef6ebbf88cf1f532a (patch) | |
| tree | 438d25357b00e1fc7033652bdbe82fda9ca2b99d /drivers/usb/cdns3/cdns3-ti.c | |
| parent | mm/hugetlb: don't crash when allocating a folio if there are no resv (diff) | |
| download | kernel-ddd05742b45b083975a0855ef6ebbf88cf1f532a.tar.gz kernel-ddd05742b45b083975a0855ef6ebbf88cf1f532a.zip | |
mm/rmap: fix potential out-of-bounds page table access during batched unmap
As pointed out by David[1], the batched unmap logic in
try_to_unmap_one() may read past the end of a PTE table when a large
folio's PTE mappings are not fully contained within a single page
table.
While this scenario might be rare, an issue triggerable from userspace
must be fixed regardless of its likelihood. This patch fixes the
out-of-bounds access by refactoring the logic into a new helper,
folio_unmap_pte_batch().
The new helper correctly calculates the safe batch size by capping the
scan at both the VMA and PMD boundaries. To simplify the code, it also
supports partial batching (i.e., any number of pages from 1 up to the
calculated safe maximum), as there is no strong reason to special-case
for fully mapped folios.
Link: https://lkml.kernel.org/r/[email protected]
Link: https://lkml.kernel.org/r/[email protected]
Link: https://lkml.kernel.org/r/[email protected]
Link: https://lore.kernel.org/linux-mm/[email protected] [1]
Fixes: 354dffd29575 ("mm: support batched unmap for lazyfree large folios during reclamation")
Signed-off-by: Lance Yang <[email protected]>
Suggested-by: David Hildenbrand <[email protected]>
Reported-by: David Hildenbrand <[email protected]>
Closes: https://lore.kernel.org/linux-mm/[email protected]
Suggested-by: Barry Song <[email protected]>
Acked-by: Barry Song <[email protected]>
Reviewed-by: Lorenzo Stoakes <[email protected]>
Acked-by: David Hildenbrand <[email protected]>
Reviewed-by: Harry Yoo <[email protected]>
Cc: Baolin Wang <[email protected]>
Cc: Chris Li <[email protected]>
Cc: "Huang, Ying" <[email protected]>
Cc: Kairui Song <[email protected]>
Cc: Lance Yang <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: Mingzhe Yang <[email protected]>
Cc: Rik van Riel <[email protected]>
Cc: Ryan Roberts <[email protected]>
Cc: Tangquan Zheng <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Diffstat (limited to 'drivers/usb/cdns3/cdns3-ti.c')
0 files changed, 0 insertions, 0 deletions