Headline
CVE-2021-4002: git/torvalds/linux.git - Linux kernel source tree
A memory leak flaw in the Linux kernel’s hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data.
author
Nadav Amit [email protected]
2021-11-21 12:40:08 -0800
committer
Linus Torvalds [email protected]
2021-11-22 11:36:46 -0800
commit
13e4ad2ce8df6e058ef482a31fdd81c725b0f7ea (patch)
tree
f299abe211d8fdb36b2134fc739fbb5880cebacb
parent
a4a118f2eead1d6c49e00765de89878288d4b890 (diff)
download
linux-13e4ad2ce8df6e058ef482a31fdd81c725b0f7ea.tar.gz
hugetlbfs: flush before unlock on move_hugetlb_page_tables()
We must flush the TLB before releasing i_mmap_rwsem to avoid the potential reuse of an unshared PMDs page. This is not true in the case of move_hugetlb_page_tables(). The last reference on the page table can therefore be dropped before the TLB flush took place. Prevent it by reordering the operations and flushing the TLB before releasing i_mmap_rwsem. Fixes: 550a7d60bd5e (“mm, hugepages: add mremap() support for hugepage backed vma”) Signed-off-by: Nadav Amit [email protected] Reviewed-by: Mike Kravetz [email protected] Cc: Mina Almasry [email protected] Cc: Andrew Morton [email protected] Signed-off-by: Linus Torvalds [email protected]
-rw-r–r--
mm/hugetlb.c
2
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 2ccebe1ca9f41…abcd1785c629c 100644
— a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4919,9 +4919,9 @@ int move_hugetlb_page_tables(struct vm_area_struct *vma,
move_huge_pte(vma, old_addr, new_addr, src_pte);
}
- i_mmap_unlock_write(mapping);
flush_tlb_range(vma, old_end - len, old_end);
mmu_notifier_invalidate_range_end(&range);
+ i_mmap_unlock_write(mapping);
return len + old_addr - old_end;
}