Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp735475pxb; Mon, 25 Oct 2021 17:46:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBXKyWxEB54/PoC0s+R1aqD40Bhz3Xydc7jD/B/XwMIIIAjY3KbXFJja4YSAaUTCrk+vAK X-Received: by 2002:a17:90b:4f4b:: with SMTP id pj11mr25152377pjb.4.1635209183781; Mon, 25 Oct 2021 17:46:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635209183; cv=none; d=google.com; s=arc-20160816; b=w1Hw9RcU2n1TmN+X4woyiuM5G+UzO+iGt/ngTSZr7A2KfZ+z4RY5c0pqAC5QzZAW8H MXm+DkNcmzNzfGLgFMGCJvVDgaTkCeB1t43SbQ+r73UwaLLqIZhZkXEiAAufrTQzdDFG J3bT06S9U/sjHrsBmw6hU5XHxCe/1ev6b+8608SCgI6Mg7fzixKxXMT++04Endmga/dQ lMBQsVD/W3T9xzwey6ZEpomDSBg1Ve3uhCuyZoZ4KAIMjhRJfYn+j5lOP1V4fW1AGanQ BDK2a0pieh4N0ZHnDLJ3JOrK6bqw11A0ZNy3+ffFv3GAGpaRE7b9IbgqBneglVe3EK0n AZgw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ouj3k5LxWfC8VxxdECNW26RgTCF6dpwcX6EVpNcR2Cg=; b=Cf3AtoKEoM1/GddyPi7Wuj498tX85spq0sULIUy+uPl3FuLXpimbZTNTpcJnoOxOPV vwbZeTe2tTWUB8KmNBZYSVGVRDmTidk5OHotlwOcr4zhNa4DdQ9seOOKRdSI7X6FzpY1 lJy7oangjYgwe9UyWKD/lLcgsPue4wdbT0vC2rVRDLluTJ2fTRYjHc00wRoJpPQm6/nq iUaaDhyM8SfNDW/oJH7i29sAwNGadd6uX6Y4UMRVgghAsPDu5Z2IDb4x/ttObIZ1XlAJ VYiPAk6bRNOa9mhctPlraBLIQx2Ps14XD8cWD7x/G1lF+8ICPtzremdmlCG3gIGOugMc e0Hg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FERWrVz1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o24si25339296pgv.451.2021.10.25.17.46.09; Mon, 25 Oct 2021 17:46:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FERWrVz1; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239178AbhJYTyQ (ORCPT + 99 others); Mon, 25 Oct 2021 15:54:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:37366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236056AbhJYTt4 (ORCPT ); Mon, 25 Oct 2021 15:49:56 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 64AD060551; Mon, 25 Oct 2021 19:42:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635190929; bh=gfUraPH3jSTYcrc8yohiE4fCL+/9xdnfvmYa7aln9Gs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FERWrVz1OFzp7ebjJgoiecl2reP7tM3+Vs1qPvAL/f7DqpKT4uXgXrzfc+pjcCVMB QoluWa6BOkdx2z9CHz3vl5i7dVhbRgDqGrQmpkCq6uy3Ud3Xn67bywMZiW8fn22bI7 Yoxvo+k459QHoDpAgaSjZ347qlLHhe5/p79nKHQY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sean Christopherson , "Darrick J. Wong" , Stephen , David Hildenbrand , Mike Rapoport , Andrew Morton , Linus Torvalds Subject: [PATCH 5.14 085/169] mm/secretmem: fix NULL page->mapping dereference in page_is_secretmem() Date: Mon, 25 Oct 2021 21:14:26 +0200 Message-Id: <20211025191028.025367440@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211025191017.756020307@linuxfoundation.org> References: <20211025191017.756020307@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit 79f9bc5843142b649575f887dccdf1c07ad75c20 upstream. Check for a NULL page->mapping before dereferencing the mapping in page_is_secretmem(), as the page's mapping can be nullified while gup() is running, e.g. by reclaim or truncation. BUG: kernel NULL pointer dereference, address: 0000000000000068 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 6 PID: 4173897 Comm: CPU 3/KVM Tainted: G W RIP: 0010:internal_get_user_pages_fast+0x621/0x9d0 Code: <48> 81 7a 68 80 08 04 bc 0f 85 21 ff ff 8 89 c7 be RSP: 0018:ffffaa90087679b0 EFLAGS: 00010046 RAX: ffffe3f37905b900 RBX: 00007f2dd561e000 RCX: ffffe3f37905b934 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffe3f37905b900 ... CR2: 0000000000000068 CR3: 00000004c5898003 CR4: 00000000001726e0 Call Trace: get_user_pages_fast_only+0x13/0x20 hva_to_pfn+0xa9/0x3e0 try_async_pf+0xa1/0x270 direct_page_fault+0x113/0xad0 kvm_mmu_page_fault+0x69/0x680 vmx_handle_exit+0xe1/0x5d0 kvm_arch_vcpu_ioctl_run+0xd81/0x1c70 kvm_vcpu_ioctl+0x267/0x670 __x64_sys_ioctl+0x83/0xa0 do_syscall_64+0x56/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Link: https://lkml.kernel.org/r/20211007231502.3552715-1-seanjc@google.com Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") Signed-off-by: Sean Christopherson Reported-by: Darrick J. Wong Reported-by: Stephen Tested-by: Darrick J. Wong Reviewed-by: David Hildenbrand Reviewed-by: Mike Rapoport Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- include/linux/secretmem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/linux/secretmem.h +++ b/include/linux/secretmem.h @@ -23,7 +23,7 @@ static inline bool page_is_secretmem(str mapping = (struct address_space *) ((unsigned long)page->mapping & ~PAGE_MAPPING_FLAGS); - if (mapping != page->mapping) + if (!mapping || mapping != page->mapping) return false; return mapping->a_ops == &secretmem_aops;