Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp4135162rwi; Mon, 17 Oct 2022 01:51:59 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5gCP2RPFYPl08TOm7k/3mzg5ZCIzwcEQvl1aR9zwP4+qMApCgyUA2a5asNQg3x/lF6wfm9 X-Received: by 2002:a17:906:5dac:b0:78d:fa65:a4a9 with SMTP id n12-20020a1709065dac00b0078dfa65a4a9mr7613393ejv.223.1665996718531; Mon, 17 Oct 2022 01:51:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1665996718; cv=none; d=google.com; s=arc-20160816; b=iCBUsS3nosNhJ8rhZlg6bUXIHUuOXFvAh4JDfNI57pXkuE3wFlRBjphDLrFTKPMurY Jj6RFzclWVfgzBPmYB41QrTWAi4pC/KAVu4Dc5FX0ldfJtsns6M3LOflnE6XoHHiEcIC xNAD4w/7yhNhEOo0TOFS3KQS0/MjSii6u7EmgYBVS56JwSmtQuSwrfUpzTfWZeD/daQd RjKSY3kZYruP5cd5lQcAmzCg9iE5Sexof2/HR6HKb8FZ9VH6FpcSjQfjUOkwmAe7BTKN ynnG9XskivYpH4ntG2hUkbzfKcM91FXvh2aCoCtmq3Bl5fcB8JBE3IihCPR1XRF+diRl jQ7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=4y1JTQEeuK6Yl5Xiz7RHCHtf0zea9DAbfeKlk8mvN/U=; b=ks/4hAHXg7/QthZuZEPcccphByYBKb6U/p/FVePBLI760lTPn32d+OXc4J1tU2fTey JyorHmJh+75pP3AolLF7+5J8N2me0jtrOrO+11aQa+m4jNTF63XYOhhcPLeU3yUvQsaC oWpewHPfgPLiutNmEOVoIjdy43rJycQ8eVtsC8/5TGPoHTgf7F9e2ZyGTHwBVX049kCW 8AM24HlpnWYTJuwS0BhPHVbWdUWQzW9XhtUwNYjzitBuPcDIN2o4BlwTOYpANG/DKc3R kVPMi5ZzcTZQDOxyKWIxz70Az96Uf5fSgrZm+C1Ix5KL6gCBjUzICwqY181smcCpBSOK mx1Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d22-20020a50fe96000000b0045beaf03ddesi7440845edt.411.2022.10.17.01.51.32; Mon, 17 Oct 2022 01:51:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230214AbiJQIpK (ORCPT + 99 others); Mon, 17 Oct 2022 04:45:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230211AbiJQIox (ORCPT ); Mon, 17 Oct 2022 04:44:53 -0400 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A8C282D1E1; Mon, 17 Oct 2022 01:44:47 -0700 (PDT) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4MrVmh3CQRz1P7tQ; Mon, 17 Oct 2022 16:40:04 +0800 (CST) Received: from dggpemm100009.china.huawei.com (7.185.36.113) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 17 Oct 2022 16:44:45 +0800 Received: from huawei.com (10.175.113.32) by dggpemm100009.china.huawei.com (7.185.36.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Mon, 17 Oct 2022 16:44:44 +0800 From: Liu Shixin To: Greg Kroah-Hartman , Andrew Morton , Kefeng Wang , "Mike Kravetz" , Liu Zixian CC: , , Liu Shixin Subject: [PATCH stable 5.10] mm: hugetlb: fix UAF in hugetlb_handle_userfault Date: Mon, 17 Oct 2022 17:33:29 +0800 Message-ID: <20221017093329.1538465-1-liushixin2@huawei.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.113.32] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm100009.china.huawei.com (7.185.36.113) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org commit 958f32ce832ba781ac20e11bb2d12a9352ea28fc upstream. The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfault(), but reacquire the vma_lock could lead to UAF[1,2] due to the following race, hugetlb_fault hugetlb_no_page /*unlock vma_lock */ hugetlb_handle_userfault handle_userfault /* unlock mm->mmap_lock*/ vm_mmap_pgoff do_mmap mmap_region munmap_vma_range /* clean old vma */ /* lock vma_lock again <--- UAF */ /* unlock vma_lock */ Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix the issue. [1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ [2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/ Reported-by: syzbot+193f9cee8638750b23cf@syzkaller.appspotmail.com Reported-by: Liu Zixian Fixes: 1a1aad8a9b7b ("userfaultfd: hugetlbfs: add userfaultfd hugetlb hook") CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Liu Shixin Signed-off-by: Kefeng Wang Reviewed-by: Mike Kravetz --- mm/hugetlb.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index c42c76447e10..c57c165bfbbc 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -4337,6 +4337,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, spinlock_t *ptl; unsigned long haddr = address & huge_page_mask(h); bool new_page = false; + u32 hash = hugetlb_fault_mutex_hash(mapping, idx); /* * Currently, we are forced to kill the process in the event the @@ -4346,7 +4347,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, if (is_vma_resv_set(vma, HPAGE_RESV_UNMAPPED)) { pr_warn_ratelimited("PID %d killed due to inadequate hugepage pool\n", current->pid); - return ret; + goto out; } /* @@ -4365,7 +4366,6 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, * Check for page in userfault range */ if (userfaultfd_missing(vma)) { - u32 hash; struct vm_fault vmf = { .vma = vma, .address = haddr, @@ -4380,17 +4380,14 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, }; /* - * hugetlb_fault_mutex and i_mmap_rwsem must be - * dropped before handling userfault. Reacquire - * after handling fault to make calling code simpler. + * vma_lock and hugetlb_fault_mutex must be dropped + * before handling userfault. Also mmap_lock will + * be dropped during handling userfault, any vma + * operation should be careful from here. */ - hash = hugetlb_fault_mutex_hash(mapping, idx); mutex_unlock(&hugetlb_fault_mutex_table[hash]); i_mmap_unlock_read(mapping); - ret = handle_userfault(&vmf, VM_UFFD_MISSING); - i_mmap_lock_read(mapping); - mutex_lock(&hugetlb_fault_mutex_table[hash]); - goto out; + return handle_userfault(&vmf, VM_UFFD_MISSING); } page = alloc_huge_page(vma, haddr, 0); @@ -4497,6 +4494,8 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm, unlock_page(page); out: + mutex_unlock(&hugetlb_fault_mutex_table[hash]); + i_mmap_unlock_read(mapping); return ret; backout: @@ -4592,10 +4591,12 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma, mutex_lock(&hugetlb_fault_mutex_table[hash]); entry = huge_ptep_get(ptep); - if (huge_pte_none(entry)) { - ret = hugetlb_no_page(mm, vma, mapping, idx, address, ptep, flags); - goto out_mutex; - } + if (huge_pte_none(entry)) + /* + * hugetlb_no_page will drop vma lock and hugetlb fault + * mutex internally, which make us return immediately. + */ + return hugetlb_no_page(mm, vma, mapping, idx, address, ptep, flags); ret = 0; -- 2.25.1