qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Centos-kernel-stream-9/mm
History
Patrick Talbert 6e18394d1f Merge: CVE-2024-56611: mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM 
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6287

JIRA: https://issues.redhat.com/browse/RHEL-75840
CVE: CVE-2024-56611

```
mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM

We currently assume that there is at least one VMA in a MM, which isn't
true.

So we might end up having find_vma() return NULL, to then de-reference
NULL.  So properly handle find_vma() returning NULL.

This fixes the report:

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 6021 Comm: syz-executor284 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
RIP: 0010:migrate_to_node mm/mempolicy.c:1090 [inline]
RIP: 0010:do_migrate_pages+0x403/0x6f0 mm/mempolicy.c:1194
Code: ...
RSP: 0018:ffffc9000375fd08 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffc9000375fd78 RCX: 0000000000000000
RDX: ffff88807e171300 RSI: dffffc0000000000 RDI: ffff88803390c044
RBP: ffff88807e171428 R08: 0000000000000014 R09: fffffbfff2039ef1
R10: ffffffff901cf78f R11: 0000000000000000 R12: 0000000000000003
R13: ffffc9000375fe90 R14: ffffc9000375fe98 R15: ffffc9000375fdf8
FS:  00005555919e1380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555919e1ca8 CR3: 000000007f12a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 kernel_migrate_pages+0x5b2/0x750 mm/mempolicy.c:1709
 __do_sys_migrate_pages mm/mempolicy.c:1727 [inline]
 __se_sys_migrate_pages mm/mempolicy.c:1723 [inline]
 __x64_sys_migrate_pages+0x96/0x100 mm/mempolicy.c:1723
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

[akpm@linux-foundation.org: add unlikely()]
Link: https://lkml.kernel.org/r/20241120201151.9518-1-david@redhat.com
Fixes: 39743889aa ("[PATCH] Swap Migration V5: sys_migrate_pages interface")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reported-by: syzbot+3511625422f7aa637f0d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/lkml/673d2696.050a0220.3c9d61.012f.GAE@google.com/T/
Reviewed-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: Christoph Lameter <cl@linux.com>
Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 091c1dd2d4df6edd1beebe0e5863d4034ade9572)
```

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

---

<small>Created 2025-01-28 13:46 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=backporter%20webhook%20issue)</small>

Approved-by: Waiman Long <longman@redhat.com>
Approved-by: Herton R. Krzesinski <herton@redhat.com>
Approved-by: Rafael Aquini <raquini@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Patrick Talbert <ptalbert@redhat.com>
 		2025-02-17 12:00:34 -05:00
..
damon mm/damon/vaddr: protect vma traversal in __damon_va_thre_regions() with rcu read lock 2024-12-09 12:25:40 -05:00
kasan Merge: kasan: make report_lock a raw spinlock 2025-02-07 09:54:21 -05:00
kfence
kmsan kmsan: do not wipe out origin when doing partial unpoisoning 2024-12-09 12:25:12 -05:00
Kconfig mm: Kconfig: fixup zsmalloc configuration 2024-12-09 12:25:41 -05:00
Kconfig.debug
Makefile
backing-dev.c
balloon_compaction.c
bootmem_info.c bootmem: use kmemleak_free_part_phys in put_page_bootmem 2024-12-09 12:22:59 -05:00
cma.c mm/cma: drop incorrect alignment check in cma_init_reserved_mem 2024-12-09 12:25:04 -05:00
cma.h
cma_debug.c
cma_sysfs.c
compaction.c mm, virt: merge AS_UNMOVABLE and AS_INACCESSIBLE 2024-12-09 12:25:25 -05:00
debug.c mm: make dump_page() take a const argument 2024-12-09 12:24:33 -05:00
debug_page_alloc.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick 2024-12-09 12:25:15 -05:00
dmapool.c
dmapool_test.c
early_ioremap.c
fadvise.c
fail_page_alloc.c fault-inject: improve build for CONFIG_FAULT_INJECTION=n 2024-12-17 22:59:23 +01:00
failslab.c fault-inject: improve build for CONFIG_FAULT_INJECTION=n 2024-12-17 22:59:23 +01:00
filemap.c filemap: Fix bounds checking in filemap_read() 2024-12-09 12:25:58 -05:00
folio-compat.c
gup.c Merge branch 'centos-stream-9-rhel9.6-block-update-v6.12' into block_test 2025-01-02 17:25:43 +00:00
gup_test.c
gup_test.h
highmem.c x86/kexec: use pr_err() instead of kexec_dprintk() when an error occurs 2024-12-23 09:35:34 +08:00
hmm.c
huge_memory.c mm: huge_memory: add vma_thp_disabled() and thp_disabled_by_hw() 2024-12-09 12:25:46 -05:00
hugetlb.c hugetlb: prioritize surplus allocation from current node 2025-01-29 14:40:37 -05:00
hugetlb_cgroup.c
hugetlb_vmemmap.c
hugetlb_vmemmap.h
hwpoison-inject.c
init-mm.c
internal.h mm: unconditionally close VMAs on error 2024-12-09 16:30:33 -03:00
interval_tree.c
io-mapping.c
ioremap.c
khugepaged.c mm: khugepaged: fix the arguments order in khugepaged_collapse_file trace point 2024-12-09 12:25:45 -05:00
kmemleak.c mm/kmemleak: fix sleeping function called from invalid context at print message 2025-01-07 10:49:00 +01:00
ksm.c
list_lru.c
maccess.c
madvise.c mm/madvise: make MADV_POPULATE_(READ|WRITE) handle VM_FAULT_RETRY properly 2024-12-09 12:24:48 -05:00
mapping_dirty_helpers.c
memblock.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
memcontrol.c mm/memcontrol: respect zswap.writeback setting from parent cg too 2024-12-09 12:25:37 -05:00
memfd.c
memory-failure.c fs/hugetlbfs/inode.c: mm/memory-failure.c: fix hugetlbfs hwpoison handling 2024-12-09 12:24:19 -05:00
memory-tiers.c memory tiers: use default_dram_perf_ref_source in log message 2024-12-09 12:25:43 -05:00
memory.c mm: don't install PMD mappings when THPs are disabled by the hw/process/vma 2024-12-09 12:25:47 -05:00
memory_hotplug.c mm/memory_hotplug: prevent accessing by index=-1 2024-12-09 12:25:20 -05:00
mempolicy.c mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM 2025-01-28 13:46:13 +00:00
mempool.c
memremap.c
memtest.c
migrate.c vmscan,migrate: fix page count imbalance on node stats when demoting pages 2024-12-09 12:25:56 -05:00
migrate_device.c
mincore.c
mlock.c mm/mlock: set the correct prev on failure 2024-12-09 12:25:57 -05:00
mm_init.c mm/mm_init: Fix incorrect alignment between deferred_free_pages() & deferred_free_range() 2025-01-03 22:29:03 -05:00
mm_slot.h
mmap.c mm: resolve faulty mmap_region() error path behaviour 2024-12-09 16:39:45 -03:00
mmap_lock.c mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer 2024-12-09 12:25:20 -05:00
mmu_gather.c
mmu_notifier.c
mmzone.c zswap: shrink zswap pool based on memory pressure 2024-12-09 12:23:49 -05:00
mprotect.c mm: refactor map_deny_write_exec() 2024-12-09 16:30:34 -03:00
mremap.c mm/mremap: fix move_normal_pmd/retract_page_tables race 2024-12-09 12:25:44 -05:00
msync.c
nommu.c mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling 2024-12-09 16:30:34 -03:00
oom_kill.c
page-writeback.c mm/writeback: update filemap_dirty_folio() comment 2024-12-09 12:22:29 -05:00
page_alloc.c Merge: CVE-2024-53113: mm: fix NULL pointer dereference in alloc_pages_bulk_noprof 2024-12-30 07:30:14 -05:00
page_counter.c
page_ext.c
page_idle.c
page_io.c mm: ignore data-race in __swap_writepage 2024-12-09 12:25:26 -05:00
page_isolation.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
page_owner.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
page_poison.c
page_reporting.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
page_reporting.h
page_table_check.c mm/page_table_check: support userfault wr-protect entries 2024-12-09 12:25:08 -05:00
page_vma_mapped.c
pagewalk.c
percpu-internal.h
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu.c percpu: scoped objcg protection 2024-12-09 12:22:58 -05:00
pgalloc-track.h
pgtable-generic.c mm: fix race between __split_huge_pmd_locked() and GUP-fast 2024-12-09 12:25:09 -05:00
process_vm_access.c
ptdump.c
readahead.c mm: support order-1 folios in the page cache 2024-12-09 12:24:28 -05:00
rmap.c mm/rmap: pass folio to hugepage_add_anon_rmap() 2024-12-09 12:22:22 -05:00
rodata_test.c
secretmem.c secretmem: disable memfd_secret() if arch cannot set direct map 2024-12-09 12:25:44 -05:00
shmem.c fs: super_set_uuid() 2025-02-07 17:06:38 -05:00
shmem_quota.c
show_mem.c mm, treewide: introduce NR_PAGE_ORDERS 2024-12-09 12:24:14 -05:00
shrinker.c
shrinker_debug.c
shuffle.c
shuffle.h mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
slab.c Merge: io_uring: Update to upstream v6.10 + fixes 2025-01-13 18:58:47 +00:00
slab.h mm/slub: Avoid list corruption when removing a slab from the full list 2025-01-08 18:16:46 -05:00
slab_common.c mm: krealloc: Fix MTE false alarm in __do_krealloc 2024-12-09 12:25:55 -05:00
slub.c Merge: mm/slub: Avoid list corruption when removing a slab from the full list 2025-01-14 14:18:33 +00:00
sparse-vmemmap.c
sparse.c
swap.c mm: page_alloc: move mlocked flag clearance into free_pages_prepare() 2024-12-09 12:25:59 -05:00
swap.h mm: convert swap_cluster_readahead and swap_vma_readahead to return a folio 2024-12-09 12:24:09 -05:00
swap_cgroup.c
swap_slots.c
swap_state.c mm/swap_state: update zswap LRU's protection range with the folio locked 2024-12-09 12:24:21 -05:00
swapfile.c mm/swapfile: skip HugeTLB pages for unuse_vma 2024-12-09 12:25:48 -05:00
truncate.c mm: Fix missing folio invalidation calls during truncation 2024-12-09 12:25:34 -05:00
usercopy.c
userfaultfd.c
util.c mm: only enforce minimum stack gap size if it's sensible 2024-12-09 12:25:38 -05:00
vmalloc.c smb: client: improve compound padding in encryption 2025-01-28 10:33:17 -03:00
vmpressure.c
vmscan.c Merge: CVE-2024-57884: mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() 2025-01-27 15:24:28 +01:00
vmstat.c mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER 2024-12-09 12:24:17 -05:00
workingset.c
z3fold.c
zbud.c
zpool.c
zsmalloc.c
zswap.c mm: zswap: fix shrinker NULL crash with cgroup_disable=memory 2024-12-09 12:24:53 -05:00