superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/mm
History
Lance Yang 6f86d0534f mm/secretmem: fix use-after-free race in fault handler 
When a page fault occurs in a secret memory file created with
`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the
underlying page as not-present in the direct map, and add it to the file
mapping.

If two tasks cause a fault in the same page concurrently, both could end
up allocating a folio and removing the page from the direct map, but only
one would succeed in adding the folio to the file mapping.  The task that
failed undoes the effects of its attempt by (a) freeing the folio again
and (b) putting the page back into the direct map.  However, by doing
these two operations in this order, the page becomes available to the
allocator again before it is placed back in the direct mapping.

If another task attempts to allocate the page between (a) and (b), and the
kernel tries to access it via the direct map, it would result in a
supervisor not-present page fault.

Fix the ordering to restore the direct map before the folio is freed.

Link: https://lkml.kernel.org/r/20251031120955.92116-1-lance.yang@linux.dev
Fixes: 1507f51255 ("mm: introduce memfd_secret system call to create "secret" memory areas")
Signed-off-by: Lance Yang <lance.yang@linux.dev>
Reported-by: Google Big Sleep <big-sleep-vuln-reports@google.com>
Closes: https://lore.kernel.org/linux-mm/CAEXGt5QeDpiHTu3K9tvjUTPqo+d-=wuCNYPa+6sWKrdQJ-ATdg@mail.gmail.com/
Acked-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 		2025-11-09 21:19:46 -08:00
..
damon mm/damon/sysfs: change next_update_jiffies to a global variable 2025-11-09 21:19:45 -08:00
kasan Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
kfence kfence: drop nth_page() usage 2025-09-21 14:22:09 -07:00
kmsan mm/kmsan: fix kmsan kmalloc hook when no stack depots are allocated yet 2025-11-09 21:19:42 -08:00
Kconfig Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
Kconfig.debug mm: rename GENERIC_PTDUMP and PTDUMP_CORE 2025-03-17 00:05:32 -07:00
Makefile mm: remove unused zpool layer 2025-09-21 14:21:59 -07:00
backing-dev.c fuse update for 6.18 2025-10-03 12:48:18 -07:00
balloon_compaction.c mm/migrate: fix NULL movable_ops if CONFIG_ZSMALLOC=m 2025-08-19 16:35:57 -07:00
bootmem_info.c mm/sparse: allow for alternate vmemmap section init at boot 2025-03-16 22:06:27 -07:00
cma.c mm/cma: refuse handing out non-contiguous page ranges 2025-09-21 14:22:06 -07:00
cma.h mm: cma: set early_pfn and bitmap as a union in cma_memrange 2025-05-22 14:55:36 -07:00
cma_debug.c mm: cma: simplify cma_maxchunk_get() 2025-07-24 19:12:36 -07:00
cma_sysfs.c mm/cma: export total and free number of pages for CMA areas 2025-03-16 22:06:24 -07:00
compaction.c mm/compaction: fix low_pfn advance on isolating hugetlb 2025-09-28 11:51:29 -07:00
debug.c mm: convert core mm to mm_flags_*() accessors 2025-09-13 16:54:56 -07:00
debug_page_alloc.c mm/debug_page_alloc: improve error message for invalid guardpage minorder 2025-05-12 23:50:38 -07:00
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: clear page table entries at destroy_args() 2025-08-19 16:35:54 -07:00
dmapool.c docs: dma-api: replace consistent with coherent 2025-07-01 13:25:36 -06:00
dmapool_test.c
early_ioremap.c
execmem.c mm: remove PMD alignment constraint in execmem_vmalloc() 2025-09-28 11:51:31 -07:00
fadvise.c
fail_page_alloc.c
failslab.c
filemap.c mm/memory: do not populate page table entries beyond i_size 2025-11-09 21:19:43 -08:00
folio-compat.c
gup.c mm/gup: fix handling of errors from arch_make_folio_accessible() in follow_page_pte() 2025-09-21 14:22:29 -07:00
gup_test.c
gup_test.h
highmem.c mm: constify highmem related functions for improved const-correctness 2025-09-21 14:22:15 -07:00
hmm.c dma-mapping updates for Linux 6.18: 2025-10-03 17:41:12 -07:00
huge_memory.c mm/huge_memory: initialise the tags of the huge zero folio 2025-11-09 21:19:46 -08:00
hugetlb.c hugetlbfs: move lock assertions after early returns in huge_pmd_unshare() 2025-10-21 15:46:17 -07:00
hugetlb_cgroup.c page_counter: track failcnt only for legacy cgroups 2025-03-17 00:05:35 -07:00
hugetlb_cma.c mm: hugetlb: directly pass order when allocate a hugetlb folio 2025-09-21 14:22:11 -07:00
hugetlb_cma.h mm: hugetlb: directly pass order when allocate a hugetlb folio 2025-09-21 14:22:11 -07:00
hugetlb_vmemmap.c mm/pagewalk: split walk_page_range_novma() into kernel/user parts 2025-07-09 22:42:05 -07:00
hugetlb_vmemmap.h mm/hugetlb: do pre-HVO for bootmem allocated pages 2025-03-16 22:06:29 -07:00
hwpoison-inject.c mm/hwpoison: decouple hwpoison_filter from mm/memory-failure.c 2025-09-21 14:22:21 -07:00
init-mm.c mm: replace vm_lock and detached flag with a reference count 2025-03-16 22:06:20 -07:00
internal.h Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
interval_tree.c
ioremap.c mm/ioremap: pass pgprot_t to ioremap_prot() instead of unsigned long 2025-03-16 22:06:23 -07:00
khugepaged.c mm/khugepaged: use KMEM_CACHE() 2025-10-03 16:42:44 -07:00
kmemleak.c mm: fix possible deadlock in kmemleak 2025-09-01 17:11:37 -07:00
ksm.c ksm: use range-walk function to jump over holes in scan_get_next_rmap_item 2025-11-09 21:19:42 -08:00
list_lru.c mm, list_lru: refactor the locking code 2025-07-09 22:41:56 -07:00
maccess.c mm: unexport globally copy_to_kernel_nofault 2025-07-09 22:42:22 -07:00
madvise.c mm: clean up is_guard_pte_marker() 2025-10-03 16:42:43 -07:00
mapping_dirty_helpers.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
memblock.c kho: replace kho_preserve_phys() with kho_preserve_pages() 2025-10-07 13:48:55 -07:00
memcontrol-v1.c mm/memcg: v1: account event registrations and drop world-writable cgroup.event_control 2025-09-21 14:22:26 -07:00
memcontrol-v1.h memcg: move do_memsw_account() to CONFIG_MEMCG_V1 2025-03-21 22:03:11 -07:00
memcontrol.c memcg: skip cgroup_file_notify if spinning is not allowed 2025-10-07 14:01:11 -07:00
memfd.c mm/memfd: remove redundant casts 2025-09-21 14:22:00 -07:00
memory-failure.c mm, swap: cleanup swap cache API and add kerneldoc 2025-09-21 14:22:23 -07:00
memory-tiers.c mm: re-enable kswapd when memory pressure subsides or demotion is toggled 2025-09-21 14:22:29 -07:00
memory.c mm/memory: do not populate page table entries beyond i_size 2025-11-09 21:19:43 -08:00
memory_hotplug.c mm/memory_hotplug: activate node before adding new memory blocks 2025-10-03 16:42:43 -07:00
mempolicy.c mm: split folio_pte_batch() into folio_pte_batch() and folio_pte_batch_flags() 2025-07-19 18:59:45 -07:00
mempool.c mm: mempool: fix crash in mempool_free() for zero-minimum pools 2025-08-02 12:06:13 -07:00
memremap.c mm/memremap: remove unused get_dev_pagemap() parameter 2025-09-21 14:22:21 -07:00
memtest.c
migrate.c mm: prevent poison consumption when splitting THP 2025-10-15 13:24:34 -07:00
migrate_device.c treewide: remove MIGRATEPAGE_SUCCESS 2025-09-13 16:54:50 -07:00
mincore.c mm, swap: use unified helper for swap cache look up 2025-09-21 14:22:22 -07:00
mlock.c mm: folio_may_be_lru_cached() unless folio_test_large() 2025-09-13 13:05:36 -07:00
mm_init.c mm/mm_init: fix hash table order logging in alloc_large_system_hash() 2025-11-09 21:19:44 -08:00
mm_slot.h
mmap.c mm: specify separate file and vm_file params in vm_area_desc 2025-09-22 20:17:11 -07:00
mmap_lock.c mm: change vma_start_read() to drop RCU lock on failure 2025-09-13 16:54:43 -07:00
mmu_gather.c mm: remove redundant __GFP_NOWARN 2025-09-13 16:54:58 -07:00
mmu_notifier.c Update Christoph's Email address and make it consistent 2025-05-12 23:50:31 -07:00
mmzone.c mm: introduce memdesc_flags_t 2025-09-13 16:55:07 -07:00
mprotect.c mm: pass page directly instead of using folio_page 2025-08-11 23:00:59 -07:00
mremap.c mm/mremap: honour writable bit in mremap pte batching 2025-11-09 21:19:44 -08:00
mseal.c mm/mseal: rework mseal apply logic 2025-08-02 12:06:09 -07:00
msync.c
nommu.c mm/nommu: convert kobjsize() to folios 2025-09-13 16:54:46 -07:00
numa.c mm/numa: remove unnecessary local variable in alloc_node_data() 2025-05-12 23:50:38 -07:00
numa_emulation.c mm: numa,memblock: Use SZ_1M macro to denote bytes to MB conversion 2025-08-20 16:31:23 +03:00
numa_memblks.c mm: numa,memblock: Use SZ_1M macro to denote bytes to MB conversion 2025-08-20 16:31:23 +03:00
oom_kill.c mm/oom_kill.c: fix inverted check 2025-09-23 14:14:16 -07:00
page-writeback.c fuse update for 6.18 2025-10-03 12:48:18 -07:00
page_alloc.c Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
page_counter.c page_counter: track failcnt only for legacy cgroups 2025-03-17 00:05:35 -07:00
page_ext.c mm,page_ext: derive the node from the pfn 2025-07-13 16:38:16 -07:00
page_frag_cache.c
page_idle.c sysfs: treewide: switch back to attribute_group::bin_attrs 2025-06-17 10:44:15 +02:00
page_io.c mm, swap: tidy up swap device and cluster info helpers 2025-09-21 14:22:23 -07:00
page_isolation.c mm/page_isolation: drop __folio_test_movable() check for large folios 2025-07-13 16:38:29 -07:00
page_owner.c mm: don't spin in add_stack_record when gfp flags don't allow 2025-10-15 13:24:33 -07:00
page_poison.c
page_reporting.c
page_reporting.h
page_table_check.c mm/page_table_check: Batch-check pmds/puds just like ptes 2025-05-09 13:43:07 +01:00
page_vma_mapped.c mm/page_vma_mapped: track if the page is mapped across page table boundary 2025-09-28 11:51:29 -07:00
pagewalk.c Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
percpu-internal.h
percpu-km.c mm/mm/percpu-km: drop nth_page() usage within single allocation 2025-09-21 14:22:04 -07:00
percpu-stats.c mm: remove outdated filename comment in percpu-stats.c 2025-07-13 16:38:23 -07:00
percpu-vm.c
percpu.c percpu: fix race on alloc failed warning limit 2025-09-08 23:45:10 -07:00
pgalloc-track.h
pgtable-generic.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
process_vm_access.c
pt_reclaim.c
ptdump.c mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() 2025-07-09 22:42:20 -07:00
readahead.c readahead: add trace points 2025-09-21 14:22:28 -07:00
rmap.c mm/rmap: improve mlock tracking for large folios 2025-09-28 11:51:31 -07:00
rodata_test.c
secretmem.c mm/secretmem: fix use-after-free race in fault handler 2025-11-09 21:19:46 -08:00
shmem.c mm/shmem: fix THP allocation and fallback loop 2025-11-09 21:19:42 -08:00
shmem_quota.c
show_mem.c mm: re-enable kswapd when memory pressure subsides or demotion is toggled 2025-09-21 14:22:29 -07:00
shrinker.c
shrinker_debug.c mm/shrinker: fix name consistency issue in shrinker_debugfs_rename() 2025-03-17 00:05:40 -07:00
shuffle.c
shuffle.h
slab.h Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
slab_common.c slab: Introduce kmalloc_nolock() and kfree_nolock(). 2025-09-29 09:42:36 +02:00
slub.c codetag: debug: handle existing CODETAG_EMPTY in mark_objexts_empty for slabobj_ext 2025-11-09 21:19:44 -08:00
sparse-vmemmap.c mm: introduce and use {pgd,p4d}_populate_kernel() 2025-08-27 22:45:44 -07:00
sparse.c mm: introduce memdesc_nid() 2025-09-13 16:55:07 -07:00
swap.c mm: lru_add_drain_all() do local lru_add_drain() first 2025-09-21 14:22:32 -07:00
swap.h mm, swap: implement dynamic allocation of swap table 2025-09-21 14:22:25 -07:00
swap_cgroup.c mm: swap_cgroup: remove double initialization of locals 2025-03-17 22:06:58 -07:00
swap_state.c mm, swap: implement dynamic allocation of swap table 2025-09-21 14:22:25 -07:00
swap_table.h mm, swap: use a single page for swap table when the size fits 2025-09-21 14:22:25 -07:00
swapfile.c mm: swap: check for stable address space before operating on the VMA 2025-09-28 11:51:34 -07:00
truncate.c mm/truncate: unmap large folio on split failure 2025-11-09 21:19:43 -08:00
usercopy.c
userfaultfd.c mm, swap: use unified helper for swap cache look up 2025-09-21 14:22:22 -07:00
util.c fsnotify: pass correct offset to fsnotify_mmap_perm() 2025-10-07 14:01:12 -07:00
vma.c mm: specify separate file and vm_file params in vm_area_desc 2025-09-22 20:17:11 -07:00
vma.h mm: specify separate file and vm_file params in vm_area_desc 2025-09-22 20:17:11 -07:00
vma_exec.c mm/vma: use vmg->target to specify target VMA for new VMA merge 2025-07-09 22:42:11 -07:00
vma_init.c Summary of significant series in this pull request: 2025-10-02 18:18:33 -07:00
vma_internal.h
vmalloc.c mm/vmalloc: move resched point into alloc_vmap_area() 2025-09-23 14:14:16 -07:00
vmpressure.c memcg: convert memcg->socket_pressure to u64 2025-07-24 19:12:32 -07:00
vmscan.c mm: re-enable kswapd when memory pressure subsides or demotion is toggled 2025-09-21 14:22:29 -07:00
vmstat.c mm: re-enable kswapd when memory pressure subsides or demotion is toggled 2025-09-21 14:22:29 -07:00
workingset.c mm: introduce memdesc_flags_t 2025-09-13 16:55:07 -07:00
zpdesc.h mm: zpdesc: minor naming and comment corrections 2025-09-21 14:21:59 -07:00
zsmalloc.c mm: remove unused zpool layer 2025-09-21 14:21:59 -07:00
zswap.c mm, swap: remove contention workaround for swap cache 2025-09-21 14:22:25 -07:00