CVE-2022-48802

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/proc: task_mmu.c: don&amp;#39;t read mapcount for migration entry<br /> <br /> The syzbot reported the below BUG:<br /> <br /> kernel BUG at include/linux/page-flags.h:785!<br /> invalid opcode: 0000 [#1] PREEMPT SMP KASAN<br /> CPU: 1 PID: 4392 Comm: syz-executor560 Not tainted 5.16.0-rc6-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> RIP: 0010:PageDoubleMap include/linux/page-flags.h:785 [inline]<br /> RIP: 0010:__page_mapcount+0x2d2/0x350 mm/util.c:744<br /> Call Trace:<br /> page_mapcount include/linux/mm.h:837 [inline]<br /> smaps_account+0x470/0xb10 fs/proc/task_mmu.c:466<br /> smaps_pte_entry fs/proc/task_mmu.c:538 [inline]<br /> smaps_pte_range+0x611/0x1250 fs/proc/task_mmu.c:601<br /> walk_pmd_range mm/pagewalk.c:128 [inline]<br /> walk_pud_range mm/pagewalk.c:205 [inline]<br /> walk_p4d_range mm/pagewalk.c:240 [inline]<br /> walk_pgd_range mm/pagewalk.c:277 [inline]<br /> __walk_page_range+0xe23/0x1ea0 mm/pagewalk.c:379<br /> walk_page_vma+0x277/0x350 mm/pagewalk.c:530<br /> smap_gather_stats.part.0+0x148/0x260 fs/proc/task_mmu.c:768<br /> smap_gather_stats fs/proc/task_mmu.c:741 [inline]<br /> show_smap+0xc6/0x440 fs/proc/task_mmu.c:822<br /> seq_read_iter+0xbb0/0x1240 fs/seq_file.c:272<br /> seq_read+0x3e0/0x5b0 fs/seq_file.c:162<br /> vfs_read+0x1b5/0x600 fs/read_write.c:479<br /> ksys_read+0x12d/0x250 fs/read_write.c:619<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> <br /> The reproducer was trying to read /proc/$PID/smaps when calling<br /> MADV_FREE at the mean time. MADV_FREE may split THPs if it is called<br /> for partial THP. It may trigger the below race:<br /> <br /> CPU A CPU B<br /> ----- -----<br /> smaps walk: MADV_FREE:<br /> page_mapcount()<br /> PageCompound()<br /> split_huge_page()<br /> page = compound_head(page)<br /> PageDoubleMap(page)<br /> <br /> When calling PageDoubleMap() this page is not a tail page of THP anymore<br /> so the BUG is triggered.<br /> <br /> This could be fixed by elevated refcount of the page before calling<br /> mapcount, but that would prevent it from counting migration entries, and<br /> it seems overkilling because the race just could happen when PMD is<br /> split so all PTE entries of tail pages are actually migration entries,<br /> and smaps_account() does treat migration entries as mapcount == 1 as<br /> Kirill pointed out.<br /> <br /> Add a new parameter for smaps_account() to tell this entry is migration<br /> entry then skip calling page_mapcount(). Don&amp;#39;t skip getting mapcount<br /> for device private entries since they do track references with mapcount.<br /> <br /> Pagemap also has the similar issue although it was not reported. Fixed<br /> it as well.<br /> <br /> [shy828301@gmail.com: v4]<br /> [nathan@kernel.org: avoid unused variable warning in pagemap_pmd_range()]