cve/published/2021/CVE-2021-47492.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47492: mm, thp: bail out early in collapse_file for writeback page

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm, thp: bail out early in collapse_file for writeback page

 Currently collapse_file does not explicitly check PG_writeback, instead,
 page_has_private and try_to_release_page are used to filter writeback
 pages.  This does not work for xfs with blocksize equal to or larger
 than pagesize, because in such case xfs has no page->private.

 This makes collapse_file bail out early for writeback page.  Otherwise,
 xfs end_page_writeback will panic as follows.

   page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32
   aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so"
   flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback)
   raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8
   raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000
   page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
   page->mem_cgroup:ffff0000c3e9a000
   ------------[ cut here ]------------
   kernel BUG at include/linux/mm.h:1212!
   Internal error: Oops - BUG: 0 [#1] SMP
   Modules linked in:
   BUG: Bad page state in process khugepaged  pfn:84ef32
    xfs(E)
   page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32
    libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ...
   CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ...
   pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
   Call trace:
     end_page_writeback+0x1c0/0x214
     iomap_finish_page_writeback+0x13c/0x204
     iomap_finish_ioend+0xe8/0x19c
     iomap_writepage_end_bio+0x38/0x50
     bio_endio+0x168/0x1ec
     blk_update_request+0x278/0x3f0
     blk_mq_end_request+0x34/0x15c
     virtblk_request_done+0x38/0x74 [virtio_blk]
     blk_done_softirq+0xc4/0x110
     __do_softirq+0x128/0x38c
     __irq_exit_rcu+0x118/0x150
     irq_exit+0x1c/0x30
     __handle_domain_irq+0x8c/0xf0
     gic_handle_irq+0x84/0x108
     el1_irq+0xcc/0x180
     arch_cpu_idle+0x18/0x40
     default_idle_call+0x4c/0x1a0
     cpuidle_idle_call+0x168/0x1e0
     do_idle+0xb4/0x104
     cpu_startup_entry+0x30/0x9c
     secondary_start_kernel+0x104/0x180
   Code: d4210000 b0006161 910c8021 94013f4d (d4210000)
   ---[ end trace 4a88c6a074082f8c ]---
   Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt

 The Linux kernel CVE team has assigned CVE-2021-47492 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4 with commit 99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 and fixed in 5.10.77 with commit 69a7fa5cb0de06c8956b040f19a7248c8c8308ca
 	Issue introduced in 5.4 with commit 99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 and fixed in 5.14.16 with commit 5e669d8ab30ab61dec3c36e27b4711f07611e6fc
 	Issue introduced in 5.4 with commit 99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 and fixed in 5.15 with commit 74c42e1baacf206338b1dd6b6199ac964512b5bb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47492
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/khugepaged.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/69a7fa5cb0de06c8956b040f19a7248c8c8308ca
 	https://git.kernel.org/stable/c/5e669d8ab30ab61dec3c36e27b4711f07611e6fc
 	https://git.kernel.org/stable/c/74c42e1baacf206338b1dd6b6199ac964512b5bb
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47492: mm, thp: bail out early in collapse_file for writeback page

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm, thp: bail out early in collapse_file for writeback page

	Currently collapse_file does not explicitly check PG_writeback, instead,
	page_has_private and try_to_release_page are used to filter writeback
	pages. This does not work for xfs with blocksize equal to or larger
	than pagesize, because in such case xfs has no page->private.

	This makes collapse_file bail out early for writeback page. Otherwise,
	xfs end_page_writeback will panic as follows.

	page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32
	aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so"
	flags: 0x57fffe0000008027(locked\|referenced\|uptodate\|active\|writeback)
	raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8
	raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000
	page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
	page->mem_cgroup:ffff0000c3e9a000
	------------[ cut here ]------------
	kernel BUG at include/linux/mm.h:1212!
	Internal error: Oops - BUG: 0 [#1] SMP
	Modules linked in:
	BUG: Bad page state in process khugepaged pfn:84ef32
	xfs(E)
	page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32
	libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ...
	CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ...
	pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
	Call trace:
	end_page_writeback+0x1c0/0x214
	iomap_finish_page_writeback+0x13c/0x204
	iomap_finish_ioend+0xe8/0x19c
	iomap_writepage_end_bio+0x38/0x50
	bio_endio+0x168/0x1ec
	blk_update_request+0x278/0x3f0
	blk_mq_end_request+0x34/0x15c
	virtblk_request_done+0x38/0x74 [virtio_blk]
	blk_done_softirq+0xc4/0x110
	__do_softirq+0x128/0x38c
	__irq_exit_rcu+0x118/0x150
	irq_exit+0x1c/0x30
	__handle_domain_irq+0x8c/0xf0
	gic_handle_irq+0x84/0x108
	el1_irq+0xcc/0x180
	arch_cpu_idle+0x18/0x40
	default_idle_call+0x4c/0x1a0
	cpuidle_idle_call+0x168/0x1e0
	do_idle+0xb4/0x104
	cpu_startup_entry+0x30/0x9c
	secondary_start_kernel+0x104/0x180
	Code: d4210000 b0006161 910c8021 94013f4d (d4210000)
	---[ end trace 4a88c6a074082f8c ]---
	Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt

	The Linux kernel CVE team has assigned CVE-2021-47492 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4 with commit 99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 and fixed in 5.10.77 with commit 69a7fa5cb0de06c8956b040f19a7248c8c8308ca
	Issue introduced in 5.4 with commit 99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 and fixed in 5.14.16 with commit 5e669d8ab30ab61dec3c36e27b4711f07611e6fc
	Issue introduced in 5.4 with commit 99cb0dbd47a15d395bf3faa78dc122bc5efe3fc0 and fixed in 5.15 with commit 74c42e1baacf206338b1dd6b6199ac964512b5bb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47492
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/khugepaged.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/69a7fa5cb0de06c8956b040f19a7248c8c8308ca
	https://git.kernel.org/stable/c/5e669d8ab30ab61dec3c36e27b4711f07611e6fc
	https://git.kernel.org/stable/c/74c42e1baacf206338b1dd6b6199ac964512b5bb