CVE-2022-49778

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64/mm: fix incorrect file_map_count for non-leaf pmd/pud<br /> <br /> The page table check trigger BUG_ON() unexpectedly when collapse hugepage:<br /> <br /> ------------[ cut here ]------------<br /> kernel BUG at mm/page_table_check.c:82!<br /> Internal error: Oops - BUG: 00000000f2000800 [#1] SMP<br /> Dumping ftrace buffer:<br /> (ftrace buffer empty)<br /> Modules linked in:<br /> CPU: 6 PID: 68 Comm: khugepaged Not tainted 6.1.0-rc3+ #750<br /> Hardware name: linux,dummy-virt (DT)<br /> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : page_table_check_clear.isra.0+0x258/0x3f0<br /> lr : page_table_check_clear.isra.0+0x240/0x3f0<br /> [...]<br /> Call trace:<br /> page_table_check_clear.isra.0+0x258/0x3f0<br /> __page_table_check_pmd_clear+0xbc/0x108<br /> pmdp_collapse_flush+0xb0/0x160<br /> collapse_huge_page+0xa08/0x1080<br /> hpage_collapse_scan_pmd+0xf30/0x1590<br /> khugepaged_scan_mm_slot.constprop.0+0x52c/0xac8<br /> khugepaged+0x338/0x518<br /> kthread+0x278/0x2f8<br /> ret_from_fork+0x10/0x20<br /> [...]<br /> <br /> Since pmd_user_accessible_page() doesn&amp;#39;t check if a pmd is leaf, it<br /> decrease file_map_count for a non-leaf pmd comes from collapse_huge_page().<br /> and so trigger BUG_ON() unexpectedly.<br /> <br /> Fix this problem by using pmd_leaf() insteal of pmd_present() in<br /> pmd_user_accessible_page(). Moreover, use pud_leaf() for<br /> pud_user_accessible_page() too.