CVE-2022-48897 Information

Description

In the Linux kernel the following vulnerability has been resolved:

arm64/mm: fix incorrect file_map_count for invalid pmd

The page table check trigger BUG_ON() unexpectedly when split hugepage:

————[ cut here ]———— kernel BUG at mm/page_table_check.c:119! Internal error: Oops - BUG: 00000000f2000800 [1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 7 PID: 210 Comm: transhuge-stres Not tainted 6.1.0-rc3+ 748 Hardware name: linuxdummy-virt (DT) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : page_table_check_set.isra.0+0x398/0x468 lr : page_table_check_set.isra.0+0x1c0/0x468 […] Call trace: page_table_check_set.isra.0+0x398/0x468 __page_table_check_pte_set+0x160/0x1c0 __split_huge_pmd_locked+0x900/0x1648 __split_huge_pmd+0x28c/0x3b8 unmap_page_range+0x428/0x858 unmap_single_vma+0xf4/0x1c8 zap_page_range+0x2b0/0x410 madvise_vma_behavior+0xc44/0xe78 do_madvise+0x280/0x698 __arm64_sys_madvise+0x90/0xe8 invoke_syscall.constprop.0+0xdc/0x1d8 do_el0_svc+0xf4/0x3f8 el0_svc+0x58/0x120 el0t_64_sync_handler+0xb8/0xc0 el0t_64_sync+0x19c/0x1a0 […]

On arm64 pmd_leaf() will return true even if the pmd is invalid due to pmd_present_invalid() check. So in pmdp_invalidate() the file_map_count will not only decrease once but also increase once. Then in set_pte_at() the file_map_count increase again and so trigger BUG_ON() unexpectedly.

Add !pmd_present_invalid() check in pmd_user_accessible_page() to fix the problem.

Reference

https://git.kernel.org/stable/c/21e5eca0ac9046da9918a919bc92b7b5a78d27e7 https://git.kernel.org/stable/c/74c2f81054510d45b813548cb0a1c4ebf87cdd5f