CVE-2023-52490 Information

Description

In the Linux kernel the following vulnerability has been resolved:

mm: migrate: fix getting incorrect page mapping during page migration

When running stress-ng testing we found below kernel crash after a few hours:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 …… Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ……

After analyzing the vmcore I found this issue is caused by page migration. The scenario is that one thread is doing page migration and we will use the target page’s ->mapping field to save ‘anon_vma’ pointer between page unmap and page move and now the target page is locked and refcount is 1.

Currently there is another stress-ng thread performing memory hotplug attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1 preventing the offline operation thus proceeding to dump the page. However page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping() since the target page->mapping only saves ‘anon_vma’ pointer without setting PAGE_MAPPING_ANON flag.

There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page’s ->mapping when saving ‘anon_vma’ but this can confuse PageAnon() for PFN walkers since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system however there are still some PFN walkers that call page_mapping() without holding the page lock such as compaction. (3) Using target page->private field to save the ‘anon_vma’ pointer and 2 bits page state just as page->mapping records an anonymous page which can remove the page_mapping() impact for PFN walkers and also seems a simple way.

So I choose option 3 to fix this issue and this can also fix other potential issues for PFN walkers such as compaction.

Reference

https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767 https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61