CVE-2021-47632

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/set_memory: Avoid spinlock recursion in change_page_attr()<br /> <br /> Commit 1f9ad21c3b38 ("powerpc/mm: Implement set_memory() routines")<br /> included a spin_lock() to change_page_attr() in order to<br /> safely perform the three step operations. But then<br /> commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against<br /> concurrent accesses") modify it to use pte_update() and do<br /> the operation safely against concurrent access.<br /> <br /> In the meantime, Maxime reported some spinlock recursion.<br /> <br /> [ 15.351649] BUG: spinlock recursion on CPU#0, kworker/0:2/217<br /> [ 15.357540] lock: init_mm+0x3c/0x420, .magic: dead4ead, .owner: kworker/0:2/217, .owner_cpu: 0<br /> [ 15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 Not tainted 5.15.0+ #523<br /> [ 15.373350] Workqueue: events do_free_init<br /> [ 15.377615] Call Trace:<br /> [ 15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable)<br /> [ 15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4<br /> [ 15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310<br /> [ 15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0<br /> [ 15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8<br /> [ 15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94<br /> [ 15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310<br /> [ 15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134<br /> [ 15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8<br /> [ 15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c<br /> [ 15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8<br /> [ 15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94<br /> [ 15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8<br /> [ 15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8<br /> [ 15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210<br /> [ 15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c<br /> <br /> Remove the read / modify / write sequence to make the operation atomic<br /> and remove the spin_lock() in change_page_attr().<br /> <br /> To do the operation atomically, we can&amp;#39;t use pte modification helpers<br /> anymore. Because all platforms have different combination of bits, it<br /> is not easy to use those bits directly. But all have the<br /> _PAGE_KERNEL_{RO/ROX/RW/RWX} set of flags. All we need it to compare<br /> two sets to know which bits are set or cleared.<br /> <br /> For instance, by comparing _PAGE_KERNEL_ROX and _PAGE_KERNEL_RO you<br /> know which bit gets cleared and which bit get set when changing exec<br /> permission.