Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:  lib: test_hmm: evict device pages on file close to avoid use-after-free  Patch series "Minor hmm_test fixes and cleanups".  Two bugfixes a cleanup for the HMM kernel selftests.  These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems.   This patch (of 3):  When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first.  This leaves those pages with a dangling zone_device_data pointer to the freed dmirror.  If a subsequent fault occurs on those pages (eg.  during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic.  This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages.  Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct.  The function is moved earlier in the file to avoid a forward declaration.