[kernel/f18] Fix vmalloc_fault oops during lazy MMU (rhbz 914737)

Tue Feb 26 13:18:01 UTC 2013

commit a46911c9f818ef20f51de572ab1f75957e8732b3
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Feb 26 08:14:54 2013 -0500

    Fix vmalloc_fault oops during lazy MMU (rhbz 914737)

 kernel.spec                                        |    9 ++++
 ...malloc_fault-oops-during-lazy-MMU-updates.patch |   48 ++++++++++++++++++++
 2 files changed, 57 insertions(+), 0 deletions(-)
---

diff --git a/kernel.spec b/kernel.spec
index 22713df..4410b1e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -811,6 +811,9 @@ Patch22260: sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
 #rhbz 903192
 Patch22261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
 
+#rhbz 914737
+Patch22262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
+
 Patch23000: silence-brcmsmac-warning.patch
 
 #rhbz 812111
@@ -1571,6 +1574,9 @@ ApplyPatch sock_diag-Fix-out-of-bounds-access-to-sock_diag_handlers.patch
 #rhbz 903192
 ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
 
+#rhbz 914737
+ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2434,6 +2440,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Feb 26 2013 Josh Boyer <jwboyer at redhat.com>
+- Fix vmalloc_fault oops during lazy MMU (rhbz 914737)
+
 * Mon Feb 25 2013 Josh Boyer <jwboyer at redhat.com>
 - Honor dmesg_restrict for /dev/kmsg (rhbz 903192)
 
diff --git a/x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch b/x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
new file mode 100644
index 0000000..31b0de8
--- /dev/null
+++ b/x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
@@ -0,0 +1,48 @@
+From:	Samu Kallio <>
+Subject: [PATCH] x86: mm: Fix vmalloc_fault oops during lazy MMU updates.
+Date: Sun, 17 Feb 2013 04:35:52 +0200
+
+In paravirtualized x86_64 kernels, vmalloc_fault may cause an oops
+when lazy MMU updates are enabled, because set_pgd effects are being
+deferred.
+
+One instance of this problem is during process mm cleanup with memory
+cgroups enabled. The chain of events is as follows:
+
+- zap_pte_range enables lazy MMU updates
+- zap_pte_range eventually calls mem_cgroup_charge_statistics,
+  which accesses the vmalloc'd mem_cgroup per-cpu stat area
+- vmalloc_fault is triggered which tries to sync the corresponding
+  PGD entry with set_pgd, but the update is deferred
+- vmalloc_fault oopses due to a mismatch in the PUD entries
+
+Calling arch_flush_lazy_mmu_mode immediately after set_pgd makes the
+changes visible to the consistency checks.
+
+Signed-off-by: Samu Kallio <samu.kallio at aberdeencloud.com>
+---
+ arch/x86/mm/fault.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index 8e13ecb..0a45298 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -378,10 +378,12 @@ static noinline __kprobes int vmalloc_fault(unsigned long address)
+ 	if (pgd_none(*pgd_ref))
+ 		return -1;
+ 
+-	if (pgd_none(*pgd))
++	if (pgd_none(*pgd)) {
+ 		set_pgd(pgd, *pgd_ref);
+-	else
++		arch_flush_lazy_mmu_mode();
++	} else {
+ 		BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
++	}
+ 
+ 	/*
+ 	 * Below here mismatches are bugs because these lower tables
+-- 
+1.8.1.3
+
+  
