CVE-2024-45024

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix hugetlb vs. core-mm PT locking

We recently made GUP's common page table walking code to also walk hugetlb VMAs without most hugetlb special-casing, preparing for the future of having less hugetlb-specific page table walking code in the codebase. Turns out that we missed one page table locking detail: page table locking for hugetlb folios that are not mapped using a single PMD/PUD.

Assume we have hugetlb folio that spans multiple PTEs (e.g., 64 KiB hugetlb folios on arm64 with 4 KiB base page size). GUP, as it walks the page tables, will perform a pteoffsetmap_lock() to grab the PTE table lock.

However, hugetlb that concurrently modifies these page tables would actually grab the mm->pagetablelock: with USESPLITPTEPTLOCKS, the locks would differ. Something similar can happen right now with hugetlb folios that span multiple PMDs when USESPLITPMDPTLOCKS.

This issue can be reproduced [1], for example triggering:

[ 3105.936100] ------------[ cut here ]------------ [ 3105.939323] WARNING: CPU: 31 PID: 2732 at mm/gup.c:142 trygrabfolio+0x11c/0x188 [ 3105.944634] Modules linked in: [...] [ 3105.974841] CPU: 31 PID: 2732 Comm: reproducer Not tainted 6.10.0-64.eln141.aarch64 #1 [ 3105.980406] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20240524-4.fc40 05/24/2024 [ 3105.986185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3105.991108] pc : trygrabfolio+0x11c/0x188 [ 3105.994013] lr : followpagepte+0xd8/0x430 [ 3105.996986] sp : ffff80008eafb8f0 [ 3105.999346] x29: ffff80008eafb900 x28: ffffffe8d481f380 x27: 00f80001207cff43 [ 3106.004414] x26: 0000000000000001 x25: 0000000000000000 x24: ffff80008eafba48 [ 3106.009520] x23: 0000ffff9372f000 x22: ffff7a54459e2000 x21: ffff7a546c1aa978 [ 3106.014529] x20: ffffffe8d481f3c0 x19: 0000000000610041 x18: 0000000000000001 [ 3106.019506] x17: 0000000000000001 x16: ffffffffffffffff x15: 0000000000000000 [ 3106.024494] x14: ffffb85477fdfe08 x13: 0000ffff9372ffff x12: 0000000000000000 [ 3106.029469] x11: 1fffef4a88a96be1 x10: ffff7a54454b5f0c x9 : ffffb854771b12f0 [ 3106.034324] x8 : 0008000000000000 x7 : ffff7a546c1aa980 x6 : 0008000000000080 [ 3106.038902] x5 : 00000000001207cf x4 : 0000ffff9372f000 x3 : ffffffe8d481f000 [ 3106.043420] x2 : 0000000000610041 x1 : 0000000000000001 x0 : 0000000000000000 [ 3106.047957] Call trace: [ 3106.049522] trygrabfolio+0x11c/0x188 [ 3106.051996] followpmdmask.constprop.0.isra.0+0x150/0x2e0 [ 3106.055527] followpagemask+0x1a0/0x2b8 [ 3106.058118] _getuserpages+0xf0/0x348 [ 3106.060647] faultinpagerange+0xb0/0x360 [ 3106.063651] domadvise+0x340/0x598

Let's make hugeptelockptr() effectively use the same PT locks as any core-mm page table walker would. Add pteplockptr() to obtain the PTE page table lock using a pte pointer -- unfortunately we cannot convert ptelockptr() because virttopage() doesn't work with kmap'ed page tables we can have with CONFIG_HIGHPTE.

Handle CONFIGPGTABLELEVELS correctly by checking in reverse order, such that when e.g., CONFIGPGTABLELEVELS==2 with PGDIRSIZE==P4DSIZE==PUDSIZE==PMDSIZE will work as expected. Document why that works.

There is one ugly case: powerpc 8xx, whereby we have an 8 MiB hugetlb folio being mapped using two PTE page tables. While hugetlb wants to take the PMD table lock, core-mm would grab the PTE table lock of one of both PTE page tables. In such corner cases, we have to make sure that both locks match, which is (fortunately!) currently guaranteed for 8xx as it does not support SMP and consequently doesn't use split PT locks.

[1] https://lore.kernel.org/all/1bbfcc7f-f222-45a5-ac44-c5a1381c596d@redhat.com/