torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code
9bbffee67f
linux/mm
History
Suren Baghdasaryan 9bbffee67f mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped 
By inducing delays in the right places, Jann Horn created a reproducer for
a hard to hit UAF issue that became possible after VMAs were allowed to be
recycled by adding SLAB_TYPESAFE_BY_RCU to their cache.

Race description is borrowed from Jann's discovery report:
lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under
rcu_read_lock().  At that point, the VMA may be concurrently freed, and it
can be recycled by another process.  vma_start_read() then increments the
vma->vm_refcnt (if it is in an acceptable range), and if this succeeds,
vma_start_read() can return a recycled VMA.

In this scenario where the VMA has been recycled, lock_vma_under_rcu()
will then detect the mismatching ->vm_mm pointer and drop the VMA through
vma_end_read(), which calls vma_refcount_put().  vma_refcount_put() drops
the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. 
This is wrong: It implicitly assumes that the caller is keeping the VMA's
mm alive, but in this scenario the caller has no relation to the VMA's mm,
so the rcuwait_wake_up() can cause UAF.

The diagram depicting the race:
T1         T2         T3
==         ==         ==
lock_vma_under_rcu
  mas_walk
          <VMA gets removed from mm>
                      mmap
                        <the same VMA is reallocated>
  vma_start_read
    __refcount_inc_not_zero_limited_acquire
                      munmap
                        __vma_enter_locked
                          refcount_add_not_zero
  vma_end_read
    vma_refcount_put
      __refcount_dec_and_test
                          rcuwait_wait_event
                            <finish operation>
      rcuwait_wake_up [UAF]

Note that rcuwait_wait_event() in T3 does not block because refcount was
already dropped by T1.  At this point T3 can exit and free the mm causing
UAF in T1.

To avoid this we move vma->vm_mm verification into vma_start_read() and
grab vma->vm_mm to stabilize it before vma_refcount_put() operation.

[surenb@google.com: v3]
  Link: https://lkml.kernel.org/r/20250729145709.2731370-1-surenb@google.com
Link: https://lkml.kernel.org/r/20250728175355.2282375-1-surenb@google.com
Fixes: 3104138517 ("mm: make vma cache SLAB_TYPESAFE_BY_RCU")
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Reported-by: Jann Horn <jannh@google.com>
Closes: https://lore.kernel.org/all/CAG48ez0-deFbVH=E3jbkWx=X3uVbd8nWeo6kbJPQ0KoUD+m2tA@mail.gmail.com/
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Jann Horn <jannh@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2025-08-02 12:06:11 -07:00
..
damon mm/damon/vaddr: skip isolating folios already in destination nid 2025-08-02 12:06:09 -07:00
kasan kasan: skip quarantine if object is still accessible under RCU 2025-08-02 12:06:08 -07:00
kfence kfence: skip __GFP_THISNODE allocations on NUMA systems 2025-02-01 03:53:26 -08:00
kmsan kmsan: test: add module description 2025-06-05 22:02:25 -07:00
backing-dev.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
balloon_compaction.c mm: stop storing migration_ops in page->mapping 2025-07-13 16:38:29 -07:00
bootmem_info.c mm/sparse: allow for alternate vmemmap section init at boot 2025-03-16 22:06:27 -07:00
cma_debug.c mm: cma: simplify cma_maxchunk_get() 2025-07-24 19:12:36 -07:00
cma_sysfs.c mm/cma: export total and free number of pages for CMA areas 2025-03-16 22:06:24 -07:00
cma.c mm: cma: simplify cma_debug_show_areas() 2025-07-24 19:12:36 -07:00
cma.h mm: cma: set early_pfn and bitmap as a union in cma_memrange 2025-05-22 14:55:36 -07:00
compaction.c mm: rename PG_isolated to PG_movable_ops_isolated 2025-07-13 16:38:30 -07:00
debug_page_alloc.c mm/debug_page_alloc: improve error message for invalid guardpage minorder 2025-05-12 23:50:38 -07:00
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: use a swp_entry_t input value for swap tests 2025-07-13 16:38:21 -07:00
debug.c mm/util: introduce snapshot_page() 2025-07-24 19:12:35 -07:00
dmapool_test.c mm/dmapool: add MODULE_DESCRIPTION() 2024-07-03 19:29:58 -07:00
dmapool.c dmapool: add NUMA affinity support 2025-05-20 05:34:27 +02:00
early_ioremap.c mm/early_ioremap: add null pointer checks to prevent NULL-pointer dereference 2025-01-13 22:40:59 -08:00
execmem.c mm: update core kernel code to use vm_flags_t consistently 2025-07-09 22:42:13 -07:00
fadvise.c fdget(), trivial conversions 2024-11-03 01:28:06 -05:00
fail_page_alloc.c fault-inject: improve build for CONFIG_FAULT_INJECTION=n 2024-09-01 20:43:33 -07:00
failslab.c fault-inject: improve build for CONFIG_FAULT_INJECTION=n 2024-09-01 20:43:33 -07:00
filemap.c mm: update core kernel code to use vm_flags_t consistently 2025-07-09 22:42:13 -07:00
folio-compat.c mm: Remove grab_cache_page_write_begin() 2025-03-04 17:02:25 +00:00
gup_test.c
gup_test.h
gup.c mm: rename PAGE_MAPPING_* to FOLIO_MAPPING_* 2025-07-13 16:38:31 -07:00
highmem.c mm/highmem: make nr_free_highpages() return "unsigned long" 2024-07-03 19:30:06 -07:00
hmm.c mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery 2025-07-19 18:59:53 -07:00
huge_memory.c mm/huge_memory: refactor after-split (page) cache code 2025-07-24 19:12:39 -07:00
hugetlb_cgroup.c page_counter: track failcnt only for legacy cgroups 2025-03-17 00:05:35 -07:00
hugetlb_cma.c mm/hugetlb: use separate nodemask for bootmem allocations 2025-05-12 23:50:35 -07:00
hugetlb_cma.h mm/hugetlb: move hugetlb CMA code in to its own file 2025-03-16 22:06:31 -07:00
hugetlb_vmemmap.c mm/pagewalk: split walk_page_range_novma() into kernel/user parts 2025-07-09 22:42:05 -07:00
hugetlb_vmemmap.h mm/hugetlb: do pre-HVO for bootmem allocated pages 2025-03-16 22:06:29 -07:00
hugetlb.c mm/page_owner: convert set_page_owner_migrate_reason() to folios 2025-07-19 18:59:57 -07:00
hwpoison-inject.c mm/hwpoison: add MODULE_DESCRIPTION() 2024-07-03 19:29:58 -07:00
init-mm.c mm: replace vm_lock and detached flag with a reference count 2025-03-16 22:06:20 -07:00
internal.h mm: introduce FPB_RESPECT_WRITE for PTE batching infrastructure 2025-07-24 19:12:40 -07:00
interval_tree.c
ioremap.c mm/ioremap: pass pgprot_t to ioremap_prot() instead of unsigned long 2025-03-16 22:06:23 -07:00
Kconfig mm: remove mm/io-mapping.c 2025-08-02 12:06:10 -07:00
Kconfig.debug mm: rename GENERIC_PTDUMP and PTDUMP_CORE 2025-03-17 00:05:32 -07:00
khugepaged.c khugepaged: optimize collapse_pte_mapped_thp() by PTE batching 2025-08-02 12:06:10 -07:00
kmemleak.c mm/alloc_tag: fix the kmemleak false positive issue in the allocation of the percpu variable tag->counters 2025-06-25 15:55:03 -07:00
ksm.c mm: rename PAGE_MAPPING_* to FOLIO_MAPPING_* 2025-07-13 16:38:31 -07:00
list_lru.c mm, list_lru: refactor the locking code 2025-07-09 22:41:56 -07:00
maccess.c mm: unexport globally copy_to_kernel_nofault 2025-07-09 22:42:22 -07:00
madvise.c mm/mseal: small cleanups 2025-08-02 12:06:09 -07:00
Makefile mm: remove mm/io-mapping.c 2025-08-02 12:06:10 -07:00
mapping_dirty_helpers.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
memblock.c memblock: add KHO support for reserve_mem 2025-05-12 23:50:42 -07:00
memcontrol-v1.c memcg: make count_memcg_events re-entrant safe against irqs 2025-05-22 14:55:38 -07:00
memcontrol-v1.h memcg: move do_memsw_account() to CONFIG_MEMCG_V1 2025-03-21 22:03:11 -07:00
memcontrol.c memcg: convert memcg->socket_pressure to u64 2025-07-24 19:12:32 -07:00
memfd.c mm/memfd: replace deprecated strcpy() with memcpy() in alloc_name() 2025-07-19 18:59:57 -07:00
memory_hotplug.c mm: rename __PageMovable() to page_has_movable_ops() 2025-07-13 16:38:29 -07:00
memory-failure.c mm/memory-failure: hold PTL in hwpoison_hugetlb_range 2025-08-02 12:06:10 -07:00
memory-tiers.c mm,memory-tiers: use node-notifier instead of memory-notifier 2025-07-13 16:38:15 -07:00
memory.c mm/memory: introduce is_huge_zero_pfn() and use it in vm_normal_page_pmd() 2025-07-24 19:12:35 -07:00
mempolicy.c mm: split folio_pte_batch() into folio_pte_batch() and folio_pte_batch_flags() 2025-07-19 18:59:45 -07:00
mempool.c mm: mempool: fix wake-up edge case bug for zero-minimum pools 2025-07-24 19:12:38 -07:00
memremap.c mm/page_alloc: add support for initializing pageblock as isolated 2025-07-13 16:38:17 -07:00
memtest.c
migrate_device.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
migrate.c mm/page_owner: convert set_page_owner_migrate_reason() to folios 2025-07-19 18:59:57 -07:00
mincore.c mm/mincore: hold PTL in mincore_hugetlb 2025-08-02 12:06:10 -07:00
mlock.c mm: split folio_pte_batch() into folio_pte_batch() and folio_pte_batch_flags() 2025-07-19 18:59:45 -07:00
mm_init.c mm/page_alloc: add support for initializing pageblock as isolated 2025-07-13 16:38:17 -07:00
mm_slot.h
mmap_lock.c mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped 2025-08-02 12:06:11 -07:00
mmap.c mm: simplify min_brk handling in brk() 2025-07-19 18:59:53 -07:00
mmu_gather.c mmu_gather: move tlb flush for VM_PFNMAP/VM_MIXEDMAP vmas into free_pgtables() 2025-05-31 22:46:12 -07:00
mmu_notifier.c Update Christoph's Email address and make it consistent 2025-05-12 23:50:31 -07:00
mmzone.c mm: improve code consistency with zonelist_* helper functions 2024-09-01 20:25:55 -07:00
mprotect.c mm/mseal: small cleanups 2025-08-02 12:06:09 -07:00
mremap.c mm: add get_and_clear_ptes() and clear_ptes() 2025-08-02 12:06:10 -07:00
mseal.c mm/mseal: rework mseal apply logic 2025-08-02 12:06:09 -07:00
msync.c
nommu.c mm: update core kernel code to use vm_flags_t consistently 2025-07-09 22:42:13 -07:00
numa_emulation.c mm/fake-numa: allow later numa node hotplug 2025-01-25 20:22:29 -08:00
numa_memblks.c mm: numa_memblks: introduce numa_add_reserved_memblk 2025-05-22 14:55:36 -07:00
numa.c mm/numa: remove unnecessary local variable in alloc_node_data() 2025-05-12 23:50:38 -07:00
oom_kill.c mm/oom_kill: fix trivial typo in comment 2025-03-16 22:05:55 -07:00
page_alloc.c mm/page_alloc: remove trace_mm_alloc_contig_migrate_range_info() 2025-07-26 15:08:22 -07:00
page_counter.c page_counter: track failcnt only for legacy cgroups 2025-03-17 00:05:35 -07:00
page_ext.c mm,page_ext: derive the node from the pfn 2025-07-13 16:38:16 -07:00
page_frag_cache.c mm/page_alloc: export free_frozen_pages() instead of free_unref_page() 2025-01-13 22:40:31 -08:00
page_idle.c mm/page_idle: handle device-exclusive entries correctly in page_idle_clear_pte_refs_one() 2025-03-16 22:05:59 -07:00
page_io.c mm: stop passing a writeback_control structure to swap_writeout 2025-07-09 22:41:58 -07:00
page_isolation.c mm/page_isolation: drop __folio_test_movable() check for large folios 2025-07-13 16:38:29 -07:00
page_owner.c mm/page_owner: convert set_page_owner_migrate_reason() to folios 2025-07-19 18:59:57 -07:00
page_poison.c
page_reporting.c
page_reporting.h
page_table_check.c mm/page_table_check: Batch-check pmds/puds just like ptes 2025-05-09 13:43:07 +01:00
page_vma_mapped.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
page-writeback.c mm, vmstat: remove the NR_WRITEBACK_TEMP node_stat_item counter 2025-07-19 18:59:47 -07:00
pagewalk.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
percpu-internal.h mm: remove CONFIG_MEMCG_KMEM 2024-07-10 12:14:54 -07:00
percpu-km.c
percpu-stats.c mm: remove outdated filename comment in percpu-stats.c 2025-07-13 16:38:23 -07:00
percpu-vm.c
percpu.c mm/percpu: prevent concurrency problem for pcpu_nr_populated read with spin lock 2025-07-13 16:38:21 -07:00
pgalloc-track.h
pgtable-generic.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
process_vm_access.c mm: refactor mm_access() to not return NULL 2024-11-05 16:56:23 -08:00
pt_reclaim.c mm: pgtable: reclaim empty PTE page in madvise(MADV_DONTNEED) 2025-01-13 22:40:48 -08:00
ptdump.c mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() 2025-07-09 22:42:20 -07:00
readahead.c readahead: use folio_nr_pages() instead of shift operation 2025-07-19 18:59:53 -07:00
rmap.c mm: add get_and_clear_ptes() and clear_ptes() 2025-08-02 12:06:10 -07:00
rodata_test.c mm/rodata_test: verify test data is unchanged, rather than non-zero 2025-01-13 22:40:38 -08:00
secretmem.c secretmem: remove uses of struct page 2025-07-09 22:42:10 -07:00
shmem_quota.c shmem_quota: build the object file conditionally to the config option 2024-09-01 20:25:45 -07:00
shmem.c mm: shmem: fix the shmem large folio allocation for the i915 driver 2025-08-02 12:05:51 -07:00
show_mem.c mm, vmstat: remove the NR_WRITEBACK_TEMP node_stat_item counter 2025-07-19 18:59:47 -07:00
shrinker_debug.c mm/shrinker: fix name consistency issue in shrinker_debugfs_rename() 2025-03-17 00:05:40 -07:00
shrinker.c mm: shrinker: avoid memleak in alloc_shrinker_info 2024-10-31 20:27:04 -07:00
shuffle.c
shuffle.h
slab_common.c Update Christoph's Email address and make it consistent 2025-05-12 23:50:31 -07:00
slab.h Merge branch 'slab/for-6.15/kfree_rcu_tiny' into slab/for-next 2025-03-20 10:33:38 +01:00
slub.c mm,slub: use node-notifier instead of memory-notifier 2025-07-13 16:38:15 -07:00
sparse-vmemmap.c mm/hugetlb: do pre-HVO for bootmem allocated pages 2025-03-16 22:06:29 -07:00
sparse.c drivers/base/memory: improve add_boot_memory_block() 2025-03-17 22:07:01 -07:00
swap_cgroup.c mm: swap_cgroup: remove double initialization of locals 2025-03-17 22:06:58 -07:00
swap_state.c - The 11 patch series "Add folio_mk_pte()" from Matthew Wilcox 2025-05-31 15:44:16 -07:00
swap.c mm: optimize lru_note_cost() by adding lru_note_cost_unlock_irq() 2025-07-24 19:12:28 -07:00
swap.h mm: stop passing a writeback_control structure to swap_writeout 2025-07-09 22:41:58 -07:00
swapfile.c mm: swap: remove stale comment stale comment in cluster_alloc_swap_entry() 2025-07-24 19:12:34 -07:00
truncate.c - The 2 patch series "zram: support algorithm-specific parameters" from 2025-06-02 16:00:26 -07:00
usercopy.c mm: security: Check early if HARDENED_USERCOPY is enabled 2025-02-28 11:51:31 -08:00
userfaultfd.c mm: remove redundant pXd_devmap calls 2025-07-09 22:42:17 -07:00
util.c mm/util: introduce snapshot_page() 2025-07-24 19:12:35 -07:00
vma_exec.c mm/vma: use vmg->target to specify target VMA for new VMA merge 2025-07-09 22:42:11 -07:00
vma_init.c mm: convert VM_PFNMAP tracking to pfnmap_track() + pfnmap_untrack() 2025-05-22 14:55:37 -07:00
vma_internal.h mm/vma: move brk() internals to mm/vma.c 2025-01-13 22:40:42 -08:00
vma.c mm/mseal: small cleanups 2025-08-02 12:06:09 -07:00
vma.h mm/mseal: small cleanups 2025-08-02 12:06:09 -07:00
vmalloc.c mm/vmalloc: leave lazy MMU mode on PTE mapping error 2025-07-09 21:07:52 -07:00
vmpressure.c memcg: convert memcg->socket_pressure to u64 2025-07-24 19:12:32 -07:00
vmscan.c mm: optimize lru_note_cost() by adding lru_note_cost_unlock_irq() 2025-07-24 19:12:28 -07:00
vmstat.c mm, vmstat: remove the NR_WRITEBACK_TEMP node_stat_item counter 2025-07-19 18:59:47 -07:00
workingset.c mm: workingset: simplify lockdep check in update_node 2025-05-12 23:50:44 -07:00
zpdesc.h mm: convert "movable" flag in page->mapping to a page flag 2025-07-13 16:38:30 -07:00
zpool.c zsmalloc: prefer the the original page's node for compressed data 2025-05-11 17:48:06 -07:00
zsmalloc.c mm: stop storing migration_ops in page->mapping 2025-07-13 16:38:29 -07:00
zswap.c mm: stop passing a writeback_control structure to __swap_writepage 2025-07-09 22:41:57 -07:00