CVE-2022-48802

In the Linux kernel, the following vulnerability has been resolved:

fs/proc: task_mmu.c: don't read mapcount for migration entry

The syzbot reported the below BUG:

kernel BUG at include/linux/page-flags.h:785! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline] RIP: 0010:_pagemapcount+0x2d2/0x350 mm/util.c:744 Call Trace: pagemapcount include/linux/mm.h:837 [inline] smapsaccount+0x470/0xb10 fs/proc/taskmmu.c:466 smapspteentry fs/proc/taskmmu.c:538 [inline] smapspterange+0x611/0x1250 fs/proc/taskmmu.c:601 walkpmdrange mm/pagewalk.c:128 [inline] walkpudrange mm/pagewalk.c:205 [inline] walkp4drange mm/pagewalk.c:240 [inline] walkpgdrange mm/pagewalk.c:277 [inline] _walkpagerange+0xe23/0x1ea0 mm/pagewalk.c:379 walkpagevma+0x277/0x350 mm/pagewalk.c:530 smapgatherstats.part.0+0x148/0x260 fs/proc/taskmmu.c:768 smapgatherstats fs/proc/taskmmu.c:741 [inline] showsmap+0xc6/0x440 fs/proc/taskmmu.c:822 seqreaditer+0xbb0/0x1240 fs/seqfile.c:272 seqread+0x3e0/0x5b0 fs/seqfile.c:162 vfsread+0x1b5/0x600 fs/readwrite.c:479 ksysread+0x12d/0x250 fs/readwrite.c:619 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64after_hwframe+0x44/0xae

The reproducer was trying to read /proc/$PID/smaps when calling MADVFREE at the mean time. MADVFREE may split THPs if it is called for partial THP. It may trigger the below race:

       CPU A                         CPU B
       -----                         -----

smaps walk: MADVFREE: pagemapcount() PageCompound() splithugepage() page = compound_head(page) PageDoubleMap(page)

When calling PageDoubleMap() this page is not a tail page of THP anymore so the BUG is triggered.

This could be fixed by elevated refcount of the page before calling mapcount, but that would prevent it from counting migration entries, and it seems overkilling because the race just could happen when PMD is split so all PTE entries of tail pages are actually migration entries, and smaps_account() does treat migration entries as mapcount == 1 as Kirill pointed out.

Add a new parameter for smapsaccount() to tell this entry is migration entry then skip calling pagemapcount(). Don't skip getting mapcount for device private entries since they do track references with mapcount.

Pagemap also has the similar issue although it was not reported. Fixed it as well.

[shy828301@gmail.com: v4] Link: https://lkml.kernel.org/r/20220203182641.824731-1-shy828301@gmail.com [nathan@kernel.org: avoid unused variable warning in pagemappmdrange()] Link: https://lkml.kernel.org/r/20220207171049.1102239-1-nathan@kernel.org