In the Linux kernel, the following vulnerability has been resolved:
drm/msm: Fix mmap to include VMIO and VMDONTDUMP
In commit 510410bfc034 ("drm/msm: Implement mmap as GEM object function") we switched to a new/cleaner method of doing things. That's good, but we missed a little bit.
Before that commit, we used to first run through the
drmgemmmap_obj() case where obj->funcs->mmap()
was NULL. That meant
that we ran:
vma->vmflags |= VMIO | VMPFNMAP | VMDONTEXPAND | VMDONTDUMP; vma->vmpageprot = pgprotwritecombine(vmgetpageprot(vma->vmflags)); vma->vmpageprot = pgprotdecrypted(vma->vmpage_prot);
...and then we modified those mappings with our own. Now that
obj->funcs->mmap()
is no longer NULL we don't run the default
code. It looks like the fact that the vmflags got VMIO / VM_DONTDUMP
was important because we're now getting crashes on Chromebooks that
use ARC++ while logging out. Specifically a crash that looks like this
(this is on a 5.10 kernel w/ relevant backports but also seen on a
5.15 kernel):
Unable to handle kernel paging request at virtual address ffffffc008000000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000008293d000 [ffffffc008000000] pgd=00000001002b3003, p4d=00000001002b3003, pud=00000001002b3003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP [...] CPU: 7 PID: 15734 Comm: crashdump64 Tainted: G W 5.10.67 #1 [...] Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT) pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--) pc : _archcopytouser+0xc0/0x30c lr : copyout+0xac/0x14c [...] Call trace: _archcopytouser+0xc0/0x30c copypagetoiter+0x1a0/0x294 processvmrwcore+0x240/0x408 processvmrw+0x110/0x16c _arm64sysprocessvmreadv+0x30/0x3c el0svccommon+0xf8/0x250 doel0svc+0x30/0x80 el0svc+0x10/0x1c el0synchandler+0x78/0x108 el0sync+0x184/0x1c0 Code: f8408423 f80008c3 910020c6 36100082 (b8404423)
Let's add the two flags back in.
While we're at it, the fact that we aren't running the default means that we don't need to clear out VM_PFNMAP, so remove that and save an instruction.
NOTE: it was confirmed that VMIO was the important flag to fix the problem I was seeing, but adding back VMDONTDUMP seems like a sane thing to do so I'm doing that too.