CVE-2021-47214

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hugetlb, userfaultfd: fix reservation restore on userfaultfd error<br /> <br /> Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if we<br /> bail out using "goto out_release_unlock;" in the cases where idx &gt;=<br /> size, or !huge_pte_none(), the code will detect that new_pagecache_page<br /> == false, and so call restore_reserve_on_error(). In this case I see<br /> restore_reserve_on_error() delete the reservation, and the following<br /> call to remove_inode_hugepages() will increment h-&gt;resv_hugepages<br /> causing a 100% reproducible leak.<br /> <br /> We should treat the is_continue case similar to adding a page into the<br /> pagecache and set new_pagecache_page to true, to indicate that there is<br /> no reservation to restore on the error path, and we need not call<br /> restore_reserve_on_error(). Rename new_pagecache_page to<br /> page_in_pagecache to make that clear.