cve/published/2021/CVE-2021-47256.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47256: mm/memory-failure: make sure wait for page writeback in memory_failure

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/memory-failure: make sure wait for page writeback in memory_failure

 Our syzkaller trigger the "BUG_ON(!list_empty(&inode->i_wb_list))" in
 clear_inode:

   kernel BUG at fs/inode.c:519!
   Internal error: Oops - BUG: 0 [#1] SMP
   Modules linked in:
   Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)
   CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95
   Hardware name: linux,dummy-virt (DT)
   pstate: 80000005 (Nzcv daif -PAN -UAO)
   pc : clear_inode+0x280/0x2a8
   lr : clear_inode+0x280/0x2a8
   Call trace:
     clear_inode+0x280/0x2a8
     ext4_clear_inode+0x38/0xe8
     ext4_free_inode+0x130/0xc68
     ext4_evict_inode+0xb20/0xcb8
     evict+0x1a8/0x3c0
     iput+0x344/0x460
     do_unlinkat+0x260/0x410
     __arm64_sys_unlinkat+0x6c/0xc0
     el0_svc_common+0xdc/0x3b0
     el0_svc_handler+0xf8/0x160
     el0_svc+0x10/0x218
   Kernel panic - not syncing: Fatal exception

 A crash dump of this problem show that someone called __munlock_pagevec
 to clear page LRU without lock_page: do_mmap -> mmap_region -> do_munmap
 -> munlock_vma_pages_range -> __munlock_pagevec.

 As a result memory_failure will call identify_page_state without
 wait_on_page_writeback.  And after truncate_error_page clear the mapping
 of this page.  end_page_writeback won't call sb_clear_inode_writeback to
 clear inode->i_wb_list.  That will trigger BUG_ON in clear_inode!

 Fix it by checking PageWriteback too to help determine should we skip
 wait_on_page_writeback.

 The Linux kernel CVE team has assigned CVE-2021-47256 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 4.14.238 with commit d05267fd27a5c4f54e06daefa3035995d765ca0c
 	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 4.19.196 with commit 6d210d547adc2218ef8b5bcf23518c5f2f1fd872
 	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.4.128 with commit 566345aaabac853aa866f53a219c4b02a6beb527
 	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.10.46 with commit 9e379da727a7a031be9b877cde7b9c34a0fb8306
 	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.12.13 with commit 28788dc5c70597395b6b451dae4549bbaa8e2c56
 	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.13 with commit e8675d291ac007e1c636870db880f837a9ea112a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47256
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/memory-failure.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0c
 	https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872
 	https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527
 	https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306
 	https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56
 	https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47256: mm/memory-failure: make sure wait for page writeback in memory_failure

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/memory-failure: make sure wait for page writeback in memory_failure

	Our syzkaller trigger the "BUG_ON(!list_empty(&inode->i_wb_list))" in
	clear_inode:

	kernel BUG at fs/inode.c:519!
	Internal error: Oops - BUG: 0 [#1] SMP
	Modules linked in:
	Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)
	CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95
	Hardware name: linux,dummy-virt (DT)
	pstate: 80000005 (Nzcv daif -PAN -UAO)
	pc : clear_inode+0x280/0x2a8
	lr : clear_inode+0x280/0x2a8
	Call trace:
	clear_inode+0x280/0x2a8
	ext4_clear_inode+0x38/0xe8
	ext4_free_inode+0x130/0xc68
	ext4_evict_inode+0xb20/0xcb8
	evict+0x1a8/0x3c0
	iput+0x344/0x460
	do_unlinkat+0x260/0x410
	__arm64_sys_unlinkat+0x6c/0xc0
	el0_svc_common+0xdc/0x3b0
	el0_svc_handler+0xf8/0x160
	el0_svc+0x10/0x218
	Kernel panic - not syncing: Fatal exception

	A crash dump of this problem show that someone called __munlock_pagevec
	to clear page LRU without lock_page: do_mmap -> mmap_region -> do_munmap
	-> munlock_vma_pages_range -> __munlock_pagevec.

	As a result memory_failure will call identify_page_state without
	wait_on_page_writeback. And after truncate_error_page clear the mapping
	of this page. end_page_writeback won't call sb_clear_inode_writeback to
	clear inode->i_wb_list. That will trigger BUG_ON in clear_inode!

	Fix it by checking PageWriteback too to help determine should we skip
	wait_on_page_writeback.

	The Linux kernel CVE team has assigned CVE-2021-47256 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 4.14.238 with commit d05267fd27a5c4f54e06daefa3035995d765ca0c
	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 4.19.196 with commit 6d210d547adc2218ef8b5bcf23518c5f2f1fd872
	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.4.128 with commit 566345aaabac853aa866f53a219c4b02a6beb527
	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.10.46 with commit 9e379da727a7a031be9b877cde7b9c34a0fb8306
	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.12.13 with commit 28788dc5c70597395b6b451dae4549bbaa8e2c56
	Issue introduced in 3.16 with commit 0bc1f8b0682caa39f45ce1e0228ebf43acb46111 and fixed in 5.13 with commit e8675d291ac007e1c636870db880f837a9ea112a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47256
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/memory-failure.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0c
	https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872
	https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527
	https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306
	https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56
	https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112a