diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-10-13 21:48:08 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-10-13 21:48:44 +0200 |
commit | 3ff41e676236848152fe7d6395f4dfa94037a12d (patch) | |
tree | ce46b3905e339f5c132caba40a2b1bd0fc487cea | |
parent | 81e691979f8dbe0dd49ea40ef41d6e3a8dcc9b3f (diff) | |
download | kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.tar.gz kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.tar.bz2 kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.zip |
mm/secretmem: Fix NULL page->mapping dereference in page_is_secretmem()
Closes: #996175
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/patches/bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch | 68 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 71 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index d803b9d934ec..45ed4a630665 100644 --- a/debian/changelog +++ b/debian/changelog @@ -313,6 +313,8 @@ linux (5.14.12-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * Bump ABI to 3 + * mm/secretmem: Fix NULL page->mapping dereference in page_is_secretmem() + (Closes: #996175) -- Salvatore Bonaccorso <carnil@debian.org> Mon, 04 Oct 2021 22:05:09 +0200 diff --git a/debian/patches/bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch b/debian/patches/bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch new file mode 100644 index 000000000000..fc0dd0625df8 --- /dev/null +++ b/debian/patches/bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch @@ -0,0 +1,68 @@ +From: Sean Christopherson <seanjc@google.com> +Date: Mon, 11 Oct 2021 13:23:57 +1100 +Subject: mm/secretmem: Fix NULL page->mapping dereference in + page_is_secretmem() +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=fbc44e4fb9b37111f933fd8b294423648f3a1679 +Bug-Debian: https://bugs.debian.org/996175 + +Check for a NULL page->mapping before dereferencing the mapping in +page_is_secretmem(), as the page's mapping can be nullified while gup() is +running, e.g. by reclaim or truncation. + + BUG: kernel NULL pointer dereference, address: 0000000000000068 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G W + RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0 + Code: <48> 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be + RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046 + RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900 + ... + CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0 + Call Trace: + get_user_pages_fast_only+0x13/0x20 + hva_to_pfn+0xa9/0x3e0 + try_async_pf+0xa1/0x270 + direct_page_fault+0x113/0xad0 + kvm_mmu_page_fault+0x69/0x680 + vmx_handle_exit+0xe1/0x5d0 + kvm_arch_vcpu_ioctl_run+0xd81/0x1c70 + kvm_vcpu_ioctl+0x267/0x670 + __x64_sys_ioctl+0x83/0xa0 + do_syscall_64+0x56/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Link: https://lkml.kernel.org/r/20211007231502.3552715-1-seanjc@google.com +Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") +Signed-off-by: Sean Christopherson <seanjc@google.com> +Reported-by: Darrick J. Wong <djwong@kernel.org> +Reported-by: Stephen <stephenackerman16@gmail.com> +Tested-by: Darrick J. Wong <djwong@kernel.org> +Reviewed-by: David Hildenbrand <david@redhat.com> +Reviewed-by: Mike Rapoport <rppt@linux.ibm.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> +--- + include/linux/secretmem.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h +index 21c3771e6a56..988528b5da43 100644 +--- a/include/linux/secretmem.h ++++ b/include/linux/secretmem.h +@@ -23,7 +23,7 @@ static inline bool page_is_secretmem(struct page *page) + mapping = (struct address_space *) + ((unsigned long)page->mapping & ~PAGE_MAPPING_FLAGS); + +- if (mapping != page->mapping) ++ if (!mapping || mapping != page->mapping) + return false; + + return mapping->a_ops == &secretmem_aops; +-- +2.33.0 + diff --git a/debian/patches/series b/debian/patches/series index fa95c4d312e4..0fd2ccf9e5fe 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -89,6 +89,7 @@ features/x86/x86-make-x32-syscall-support-conditional.patch bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/HID-apple-Add-missing-scan-code-event-for-keys-handl.patch +bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch # Miscellaneous features |