-
由 Xiongfeng Wang 提交于
hulk inclusion category: bugfix bugzilla: 175146 CVE: NA ------------------------------------ Syzkaller caught the following BUG_ON: ------------[ cut here ]------------ kernel BUG at fs/userfaultfd.c:909! Internal error: Oops - BUG: 0 [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: Process syz-executor.2 (pid: 1994, stack limit = 0x0000000048da525b) CPU: 0 PID: 1994 Comm: syz-executor.2 Not tainted 4.19.90+ #6 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO) pc : userfaultfd_release+0x4f0/0x6a0 fs/userfaultfd.c:908 lr : userfaultfd_release+0x4f0/0x6a0 fs/userfaultfd.c:908 sp : ffff80017d247c80 x29: ffff80017d247c90 x28: ffff80019b25f720 x27: 2000000000100077 x26: ffff80017c28fe40 x25: ffff80019b25f770 x24: ffff80019b25f7e0 x23: ffff80019b25e378 x22: 1ffff0002fa48fa6 x21: ffff80017f103200 x20: dfff200000000000 x19: ffff80017c28fe40 x18: 0000000000000000 x17: ffffffff00000001 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 1ffff0002fa48fa6 x8 : ffff10002fa48fa6 x7 : ffff20000add39f0 x6 : 00000000f2000000 x5 : 0000000000000000 x4 : ffff10002fa48f76 x3 : ffff200008000000 x2 : ffff20000a61d000 x1 : ffff800160aa9000 x0 : 0000000000000000 Call trace: userfaultfd_release+0x4f0/0x6a0 fs/userfaultfd.c:908 __fput+0x20c/0x688 fs/file_table.c:278 ____fput+0x24/0x30 fs/file_table.c:309 task_work_run+0x13c/0x2f8 kernel/task_work.c:135 tracehook_notify_resume include/linux/tracehook.h:193 [inline] do_notify_resume+0x380/0x628 arch/arm64/kernel/signal.c:728 work_pending+0x8/0x10 Code: 97ecb0e4 d4210000 17ffffc7 97ecb0e1 (d4210000) ---[ end trace de790a3f637d9e60 ]--- In userfaultfd_release(), we check if 'vm_userfaultfd_ctx' and 'vm_flags&(VM_UFFD_MISSING|VM_UFFD_WP)' are not zero at the same time. If not, it is bug. But we lack checking for VM_USWAP flag. So add it to avoid the false BUG_ON(). This patch also fix several other issues. Fixes: c3e6287f ("userswap: support userswap via userfaultfd") Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Conflicts: fs/userfaultfd.c Signed-off-by: NXiongfeng Wang <wangxiongfeng2@huawei.com> Reviewed-by: NKefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
0b93af15