cve/published/2022/CVE-2022-48986.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48986: mm/gup: fix gup_pud_range() for dax

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/gup: fix gup_pud_range() for dax

 For dax pud, pud_huge() returns true on x86. So the function works as long
 as hugetlb is configured. However, dax doesn't depend on hugetlb.
 Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed
 devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
 well.

 This fixes the below kernel panic:

 general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
 	< snip >
 Call Trace:
 <TASK>
 get_user_pages_fast+0x1f/0x40
 iov_iter_get_pages+0xc6/0x3b0
 ? mempool_alloc+0x5d/0x170
 bio_iov_iter_get_pages+0x82/0x4e0
 ? bvec_alloc+0x91/0xc0
 ? bio_alloc_bioset+0x19a/0x2a0
 blkdev_direct_IO+0x282/0x480
 ? __io_complete_rw_common+0xc0/0xc0
 ? filemap_range_has_page+0x82/0xc0
 generic_file_direct_write+0x9d/0x1a0
 ? inode_update_time+0x24/0x30
 __generic_file_write_iter+0xbd/0x1e0
 blkdev_write_iter+0xb4/0x150
 ? io_import_iovec+0x8d/0x340
 io_write+0xf9/0x300
 io_issue_sqe+0x3c3/0x1d30
 ? sysvec_reschedule_ipi+0x6c/0x80
 __io_queue_sqe+0x33/0x240
 ? fget+0x76/0xa0
 io_submit_sqes+0xe6a/0x18d0
 ? __fget_light+0xd1/0x100
 __x64_sys_io_uring_enter+0x199/0x880
 ? __context_tracking_enter+0x1f/0x70
 ? irqentry_exit_to_user_mode+0x24/0x30
 ? irqentry_exit+0x1d/0x30
 ? __context_tracking_exit+0xe/0x70
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x61/0xcb
 RIP: 0033:0x7fc97c11a7be
 	< snip >
 </TASK>
 ---[ end trace 48b2e0e67debcaeb ]---
 RIP: 0010:internal_get_user_pages_fast+0x340/0x990
 	< snip >
 Kernel panic - not syncing: Fatal exception
 Kernel Offset: disabled

 The Linux kernel CVE team has assigned CVE-2022-48986 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 5.4.227 with commit 04edfa3dc06ecfc6133a33bc7271298782dee875
 	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 5.10.159 with commit f1cf856123ceb766c49967ec79b841030fa1741f
 	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 5.15.83 with commit 3ac29732a2ffa64c7de13a072b0f2848b9c11037
 	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 6.0.13 with commit e06d13c36ded750c72521b600293befebb4e56c5
 	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 6.1 with commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920
 	Issue introduced in 4.9.165 with commit c133d8eb894cb280f331608c6f1962ba9fbfe6b0
 	Issue introduced in 4.14.108 with commit 538162d21ac877b060dc057c89f13718f5caffc5
 	Issue introduced in 4.19.31 with commit 8b1a7762e0dac5db42a003009fdcb425f10baa07

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48986
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/gup.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/04edfa3dc06ecfc6133a33bc7271298782dee875
 	https://git.kernel.org/stable/c/f1cf856123ceb766c49967ec79b841030fa1741f
 	https://git.kernel.org/stable/c/3ac29732a2ffa64c7de13a072b0f2848b9c11037
 	https://git.kernel.org/stable/c/e06d13c36ded750c72521b600293befebb4e56c5
 	https://git.kernel.org/stable/c/fcd0ccd836ffad73d98a66f6fea7b16f735ea920
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48986: mm/gup: fix gup_pud_range() for dax

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/gup: fix gup_pud_range() for dax

	For dax pud, pud_huge() returns true on x86. So the function works as long
	as hugetlb is configured. However, dax doesn't depend on hugetlb.
	Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed
	devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as
	well.

	This fixes the below kernel panic:

	general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1] SMP
	< snip >
	Call Trace:
	<TASK>
	get_user_pages_fast+0x1f/0x40
	iov_iter_get_pages+0xc6/0x3b0
	? mempool_alloc+0x5d/0x170
	bio_iov_iter_get_pages+0x82/0x4e0
	? bvec_alloc+0x91/0xc0
	? bio_alloc_bioset+0x19a/0x2a0
	blkdev_direct_IO+0x282/0x480
	? __io_complete_rw_common+0xc0/0xc0
	? filemap_range_has_page+0x82/0xc0
	generic_file_direct_write+0x9d/0x1a0
	? inode_update_time+0x24/0x30
	__generic_file_write_iter+0xbd/0x1e0
	blkdev_write_iter+0xb4/0x150
	? io_import_iovec+0x8d/0x340
	io_write+0xf9/0x300
	io_issue_sqe+0x3c3/0x1d30
	? sysvec_reschedule_ipi+0x6c/0x80
	__io_queue_sqe+0x33/0x240
	? fget+0x76/0xa0
	io_submit_sqes+0xe6a/0x18d0
	? __fget_light+0xd1/0x100
	__x64_sys_io_uring_enter+0x199/0x880
	? __context_tracking_enter+0x1f/0x70
	? irqentry_exit_to_user_mode+0x24/0x30
	? irqentry_exit+0x1d/0x30
	? __context_tracking_exit+0xe/0x70
	do_syscall_64+0x3b/0x90
	entry_SYSCALL_64_after_hwframe+0x61/0xcb
	RIP: 0033:0x7fc97c11a7be
	< snip >
	</TASK>
	---[ end trace 48b2e0e67debcaeb ]---
	RIP: 0010:internal_get_user_pages_fast+0x340/0x990
	< snip >
	Kernel panic - not syncing: Fatal exception
	Kernel Offset: disabled

	The Linux kernel CVE team has assigned CVE-2022-48986 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 5.4.227 with commit 04edfa3dc06ecfc6133a33bc7271298782dee875
	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 5.10.159 with commit f1cf856123ceb766c49967ec79b841030fa1741f
	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 5.15.83 with commit 3ac29732a2ffa64c7de13a072b0f2848b9c11037
	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 6.0.13 with commit e06d13c36ded750c72521b600293befebb4e56c5
	Issue introduced in 5.0 with commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 and fixed in 6.1 with commit fcd0ccd836ffad73d98a66f6fea7b16f735ea920
	Issue introduced in 4.9.165 with commit c133d8eb894cb280f331608c6f1962ba9fbfe6b0
	Issue introduced in 4.14.108 with commit 538162d21ac877b060dc057c89f13718f5caffc5
	Issue introduced in 4.19.31 with commit 8b1a7762e0dac5db42a003009fdcb425f10baa07

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48986
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/gup.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/04edfa3dc06ecfc6133a33bc7271298782dee875
	https://git.kernel.org/stable/c/f1cf856123ceb766c49967ec79b841030fa1741f
	https://git.kernel.org/stable/c/3ac29732a2ffa64c7de13a072b0f2848b9c11037
	https://git.kernel.org/stable/c/e06d13c36ded750c72521b600293befebb4e56c5
	https://git.kernel.org/stable/c/fcd0ccd836ffad73d98a66f6fea7b16f735ea920