mm/secretmem: Fix NULL page->mapping dereference in page_is_secretmem()

Closes: #996175
author: Salvatore Bonaccorso <carnil@debian.org> 2021-10-13 21:48:08 +0200
committer: Salvatore Bonaccorso <carnil@debian.org> 2021-10-13 21:48:44 +0200
commit: 3ff41e676236848152fe7d6395f4dfa94037a12d (patch)
tree: ce46b3905e339f5c132caba40a2b1bd0fc487cea
parent: 81e691979f8dbe0dd49ea40ef41d6e3a8dcc9b3f (diff)
download: kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.tar.gz
kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.tar.bz2
kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.zip
3 files changed, 71 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index d803b9d934ec..45ed4a630665 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -313,6 +313,8 @@ linux (5.14.12-1) UNRELEASED; urgency=medium
 
   [ Salvatore Bonaccorso ]
   * Bump ABI to 3
+  * mm/secretmem: Fix NULL page->mapping dereference in page_is_secretmem()
+    (Closes: #996175)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 04 Oct 2021 22:05:09 +0200
 
diff --git a/debian/patches/bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch b/debian/patches/bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch
new file mode 100644
index 000000000000..fc0dd0625df8
--- /dev/null
+++ b/debian/patches/bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch
@@ -0,0 +1,68 @@
+From: Sean Christopherson <seanjc@google.com>
+Date: Mon, 11 Oct 2021 13:23:57 +1100
+Subject: mm/secretmem: Fix NULL page->mapping dereference in
+ page_is_secretmem()
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=fbc44e4fb9b37111f933fd8b294423648f3a1679
+Bug-Debian: https://bugs.debian.org/996175
+
+Check for a NULL page->mapping before dereferencing the mapping in
+page_is_secretmem(), as the page's mapping can be nullified while gup() is
+running, e.g.  by reclaim or truncation.
+
+  BUG: kernel NULL pointer dereference, address: 0000000000000068
+  #PF: supervisor read access in kernel mode
+  #PF: error_code(0x0000) - not-present page
+  PGD 0 P4D 0
+  Oops: 0000 [#1] PREEMPT SMP NOPTI
+  CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G        W
+  RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0
+  Code: <48> 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be
+  RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046
+  RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934
+  RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900
+  ...
+  CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0
+  Call Trace:
+   get_user_pages_fast_only+0x13/0x20
+   hva_to_pfn+0xa9/0x3e0
+   try_async_pf+0xa1/0x270
+   direct_page_fault+0x113/0xad0
+   kvm_mmu_page_fault+0x69/0x680
+   vmx_handle_exit+0xe1/0x5d0
+   kvm_arch_vcpu_ioctl_run+0xd81/0x1c70
+   kvm_vcpu_ioctl+0x267/0x670
+   __x64_sys_ioctl+0x83/0xa0
+   do_syscall_64+0x56/0x80
+   entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Link: https://lkml.kernel.org/r/20211007231502.3552715-1-seanjc@google.com
+Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reported-by: Darrick J. Wong <djwong@kernel.org>
+Reported-by: Stephen <stephenackerman16@gmail.com>
+Tested-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
+---
+ include/linux/secretmem.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h
+index 21c3771e6a56..988528b5da43 100644
+--- a/include/linux/secretmem.h
++++ b/include/linux/secretmem.h
+@@ -23,7 +23,7 @@ static inline bool page_is_secretmem(struct page *page)
+ 	mapping = (struct address_space *)
+ 		((unsigned long)page->mapping & ~PAGE_MAPPING_FLAGS);
+ 
+-	if (mapping != page->mapping)
++	if (!mapping || mapping != page->mapping)
+ 		return false;
+ 
+ 	return mapping->a_ops == &secretmem_aops;
+-- 
+2.33.0
+
diff --git a/debian/patches/series b/debian/patches/series
index fa95c4d312e4..0fd2ccf9e5fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -89,6 +89,7 @@ features/x86/x86-make-x32-syscall-support-conditional.patch
 bugfix/all/disable-some-marvell-phys.patch
 bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
 bugfix/all/HID-apple-Add-missing-scan-code-event-for-keys-handl.patch
+bugfix/all/mm-secretmem-Fix-NULL-page-mapping-dereference-in-pa.patch
 
 # Miscellaneous features
author	Salvatore Bonaccorso <carnil@debian.org>	2021-10-13 21:48:08 +0200
committer	Salvatore Bonaccorso <carnil@debian.org>	2021-10-13 21:48:44 +0200
commit	3ff41e676236848152fe7d6395f4dfa94037a12d (patch)
tree	ce46b3905e339f5c132caba40a2b1bd0fc487cea
parent	81e691979f8dbe0dd49ea40ef41d6e3a8dcc9b3f (diff)
download	kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.tar.gz kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.tar.bz2 kernel_replicant_linux-3ff41e676236848152fe7d6395f4dfa94037a12d.zip