Commit 747db89c authored Feb 17, 2025 by Lorenzo Stoakes Committed by Wupeng Ma Feb 17, 2025

mm: unconditionally close VMAs on error

stable inclusion
from stable-v5.10.231
commit 7a450540c82f4fa99f60727acd5b402f3d1786f7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB7051
CVE: CVE-2024-53096

Reference: https://lore.kernel.org/linux-mm/99f72d6dc52835126ca6d2e79732d397f6bfa20b.1731670097.git.lorenzo.stoakes@oracle.com/T/

--------------------------------

[ Upstream commit 4080ef1579b2413435413988d14ac8c68e4d42c8 ]

Incorrect invocation of VMA callbacks when the VMA is no longer in a
consistent state is bug prone and risky to perform.

With regards to the important vm_ops->close() callback We have gone to
great lengths to try to track whether or not we ought to close VMAs.

Rather than doing so and risking making a mistake somewhere, instead
unconditionally close and reset vma->vm_ops to an empty dummy operations
set with a NULL .close operator.

We introduce a new function to do so - vma_close() - and simplify existing
vms logic which tracked whether we needed to close or not.

This simplifies the logic, avoids incorrect double-calling of the .close()
callback and allows us to update error paths to simply call vma_close()
unconditionally - making VMA closure idempotent.

Link: https://lkml.kernel.org/r/28e89dda96f68c505cb6f8e9fc9b57c3e9f74b42.1730224667.git.lorenzo.stoakes@oracle.com


Fixes: deb0f656 ("mm/mmap: undo ->mmap() when arch_validate_flags() fails")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reported-by: Jann Horn <jannh@google.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Reviewed-by: Jann Horn <jannh@google.com>
Cc: Andreas Larsson <andreas@gaisler.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Helge Deller <deller@gmx.de>
Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Brown <broonie@kernel.org>
Cc: Peter Xu <peterx@redhat.com>
Cc: Will Deacon <will@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ma Wupeng <mawupeng1@huawei.com>

parent 5ec57610

mm/internal.h

+7 −0

Original line number	Diff line number	Diff line
		@@ -61,6 +61,13 @@ void page_writeback_init(void);
		*/
		int mmap_file(struct file file, struct vm_area_struct vma);

		/*
		* If the VMA has a close hook then close it, and since closing it might leave
		* it in an inconsistent state which makes the use of any hooks suspect, clear
		* them down by installing dummy empty hooks.
		*/
		void vma_close(struct vm_area_struct *vma);

		vm_fault_t do_swap_page(struct vm_fault *vmf);

		void free_pgtables(struct mmu_gather tlb, struct vm_area_struct start_vma,

mm/mmap.c

+3 −6

Original line number	Diff line number	Diff line
		@@ -185,8 +185,7 @@ static struct vm_area_struct remove_vma(struct vm_area_struct vma)
		struct vm_area_struct *next = vma->vm_next;

		might_sleep();
		if (vma->vm_ops && vma->vm_ops->close)
		vma->vm_ops->close(vma);
		vma_close(vma);
		if (vma->vm_file)
		fput(vma->vm_file);
		mpol_put(vma_policy(vma));
		@@ -1959,8 +1958,7 @@ static unsigned long __mmap_region(struct mm_struct mm, struct file file,
		return addr;

		close_and_free_vma:
		if (vma->vm_ops && vma->vm_ops->close)
		vma->vm_ops->close(vma);
		vma_close(vma);
		unmap_and_free_vma:
		vma->vm_file = NULL;
		fput(file);
		@@ -2885,8 +2883,7 @@ int __split_vma(struct mm_struct mm, struct vm_area_struct vma,
		return 0;

		/* Clean everything up if vma_adjust failed. */
		if (new->vm_ops && new->vm_ops->close)
		new->vm_ops->close(new);
		vma_close(new);
		if (new->vm_file)
		fput(new->vm_file);
		unlink_anon_vmas(new);

mm/nommu.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -662,8 +662,7 @@ static void delete_vma_from_mm(struct vm_area_struct *vma)
		*/
		static void delete_vma(struct mm_struct mm, struct vm_area_struct vma)
		{
		if (vma->vm_ops && vma->vm_ops->close)
		vma->vm_ops->close(vma);
		vma_close(vma);
		if (vma->vm_file)
		fput(vma->vm_file);
		put_nommu_region(vma->vm_region);

mm/util.c

+15 −0

Original line number	Diff line number	Diff line
		@@ -1097,3 +1097,18 @@ int mmap_file(struct file file, struct vm_area_struct vma)

		return err;
		}

		void vma_close(struct vm_area_struct *vma)
		{
		static const struct vm_operations_struct dummy_vm_ops = {};

		if (vma->vm_ops && vma->vm_ops->close) {
		vma->vm_ops->close(vma);

		/*
		* The mapping is in an inconsistent state, and no further hooks
		* may be invoked upon it.
		*/
		vma->vm_ops = &dummy_vm_ops;
		}
		}