DEBIAN-CVE-2022-50517

In the Linux kernel, the following vulnerability has been resolved: mm/hugememory: do not clobber swpentryt during THP split The following has been observed when running stressng mmap since commit b653db77350c ("mm: Clear page->private when splitting or migrating a page") watchdog: BUG: soft lockup - CPU#75 stuck for 26s! [stress-ng:9546] CPU: 75 PID: 9546 Comm: stress-ng Tainted: G E 6.0.0-revert-b653db77-fix+ #29 0357d79b60fb09775f678e4f3f64ef0579ad1374 Hardware name: SGI.COM C2112-4GP3/X10DRT-P-Series, BIOS 2.0a 05/09/2016 RIP: 0010:xasdescend+0x28/0x80 Code: cc cc 0f b6 0e 48 8b 57 08 48 d3 ea 83 e2 3f 89 d0 48 83 c0 04 48 8b 44 c6 08 48 89 77 18 48 89 c1 83 e1 03 48 83 f9 02 75 08 <48> 3d fd 00 00 00 76 08 88 57 12 c3 cc cc cc cc 48 c1 e8 02 89 c2 RSP: 0018:ffffbbf02a2236a8 EFLAGS: 00000246 RAX: ffff9cab7d6a0002 RBX: ffffe04b0af88040 RCX: 0000000000000002 RDX: 0000000000000030 RSI: ffff9cab60509b60 RDI: ffffbbf02a2236c0 RBP: 0000000000000000 R08: ffff9cab60509b60 R09: ffffbbf02a2236c0 R10: 0000000000000001 R11: ffffbbf02a223698 R12: 0000000000000000 R13: ffff9cab4e28da80 R14: 0000000000039c01 R15: ffff9cab4e28da88 FS: 00007fab89b85e40(0000) GS:ffff9cea3fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fab84e00000 CR3: 00000040b73a4003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> xas_load+0x3a/0x50 __filemapgetfolio+0x80/0x370 ? putswappage+0x163/0x360 pagecachegetpage+0x13/0x90 __trytoreclaimswap+0x50/0x190 scanswapmapslots+0x31e/0x670 getswappages+0x226/0x3c0 folioallocswap+0x1cc/0x240 addtoswap+0x14/0x70 shrinkpagelist+0x968/0xbc0 reclaimpagelist+0x70/0xf0 reclaimpages+0xdd/0x120 madvisecoldorpageoutpterange+0x814/0xf30 walkpgdrange+0x637/0xa30 __walkpagerange+0x142/0x170 walkpagerange+0x146/0x170 madvisepageout+0xb7/0x280 ? asmcommoninterrupt+0x22/0x40 madvisevmabehavior+0x3b7/0xac0 ? findvma+0x4a/0x70 ? findvma+0x64/0x70 ? madvisevmaanonname+0x40/0x40 madvisewalkvmas+0xa6/0x130 do_madvise+0x2f4/0x360 __x64sysmadvise+0x26/0x30 dosyscall64+0x5b/0x80 ? dosyscall64+0x67/0x80 ? syscallexittousermode+0x17/0x40 ? dosyscall64+0x67/0x80 ? syscallexittousermode+0x17/0x40 ? dosyscall64+0x67/0x80 ? dosyscall64+0x67/0x80 ? commoninterrupt+0x8b/0xa0 entrySYSCALL64afterhwframe+0x63/0xcd The problem can be reproduced with the mmtests config config-workload-stressng-mmap. It does not always happen and when it triggers is variable but it has happened on multiple machines. The intent of commit b653db77350c patch was to avoid the case where PGprivate is clear but folio->private is not-NULL. However, THP tail pages uses page->private for "swpentryt if foliotestswapcache()" as stated in the documentation for struct folio. This patch only clobbers page->private for tail pages if the head page was not in swapcache and warns once if page->private had an unexpected value.