CVE-2024-56612

In the Linux kernel, the following vulnerability has been resolved:

mm/gup: handle NULL pages in unpinuserpages()

The recent addition of "pofs" (pages or folios) handling to gup has a flaw: it assumes that unpinuserpages() handles NULL pages in the pages** array. That's not the case, as I discovered when I ran on a new configuration on my test machine.

Fix this by skipping NULL pages in unpinuserpages(), just like unpin_folios() already does.

Details: when booting on x86 with "numa=fake=2 movablecore=4G" on Linux 6.12, and running this:

tools/testing/selftests/mm/gup_longterm

...I get the following crash:

BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:sanitycheckpinnedpages+0x3a/0x2d0 ... Call Trace: <TASK> ? _diebody+0x66/0xb0 ? pagefaultoops+0x30c/0x3b0 ? douseraddrfault+0x6c3/0x720 ? irqentryenter+0x34/0x60 ? excpagefault+0x68/0x100 ? asmexcpagefault+0x22/0x30 ? sanitycheckpinnedpages+0x3a/0x2d0 unpinuserpages+0x24/0xe0 checkandmigratemovablepagesorfolios+0x455/0x4b0 _guplongtermlocked+0x3bf/0x820 ? mmapreadlockkillable+0x12/0x50 ? _pfxmmapreadlockkillable+0x10/0x10 pinuserpages+0x66/0xa0 guptestioctl+0x358/0xb20 _sesysioctl+0x6b/0xc0 dosyscall64+0x7b/0x150 entrySYSCALL64after_hwframe+0x76/0x7e