CVE-2021-46988

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> userfaultfd: release page in error path to avoid BUG_ON<br /> <br /> Consider the following sequence of events:<br /> <br /> 1. Userspace issues a UFFD ioctl, which ends up calling into<br /> shmem_mfill_atomic_pte(). We successfully account the blocks, we<br /> shmem_alloc_page(), but then the copy_from_user() fails. We return<br /> -ENOENT. We don&amp;#39;t release the page we allocated.<br /> 2. Our caller detects this error code, tries the copy_from_user() after<br /> dropping the mmap_lock, and retries, calling back into<br /> shmem_mfill_atomic_pte().<br /> 3. Meanwhile, let&amp;#39;s say another process filled up the tmpfs being used.<br /> 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and<br /> immediately returns - without releasing the page.<br /> <br /> This triggers a BUG_ON in our caller, which asserts that the page<br /> should always be consumed, unless -ENOENT is returned.<br /> <br /> To fix this, detect if we have such a "dangling" page when accounting<br /> fails, and if so, release it before returning.