Revert "mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte"

Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2590

This reverts upstream commit 9ae0f87d009ca6c4aab2882641ddfc319727e3db.

David Hildenbrand reports:

    Note 2: Kernels before extended uffd-wp support and before
            PageAnonExclusive (< 5.19) can simply revert the problematic
            commit instead and be safe regarding UFFDIO_CONTINUE. A backport to
            v5.19 requires minor adjustments due to lack of
            vma_soft_dirty_enabled().

Link: https://lore.kernel.org/linux-mm/20220808073232.8808-1-david@redhat.com/
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name Revert-mm-shmem-unconditionally-set-pte-dirty-in-mfi.patch

diff --git a/mm/shmem.c b/mm/shmem.c
index 0fcd0cfea35df3fb6743894167db121dc03ff1c2..d38c4f8cbc562b992045b3bbbf7189ff8fa0732b 100644 (file)
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2401,6 +2401,7 @@ int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
        shmem_recalc_inode(inode);
        spin_unlock_irq(&info->lock);
 
+       SetPageDirty(page);
        unlock_page(page);
        return 0;
 out_delete_from_cache:

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 128b17fe981235c6814e202bbba552e7430c0e4a..d01c67304bdb62eb28096ed284946b2f3c6a71a7 100644 (file)
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -69,9 +69,10 @@ int mfill_atomic_install_pte(struct mm_struct *dst_mm, pmd_t *dst_pmd,
        pgoff_t offset, max_off;
 
        _dst_pte = mk_pte(page, dst_vma->vm_page_prot);
-       _dst_pte = pte_mkdirty(_dst_pte);
        if (page_in_cache && !vm_shared)
                writable = false;
+       if (writable || !page_in_cache)
+               _dst_pte = pte_mkdirty(_dst_pte);
 
        /*
         * Always mark a PTE as write-protected when needed, regardless of