From 6bde509bc5c33e4dd2936016e683c3cd48f8c82c Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Tue, 9 Aug 2022 20:04:52 +0200 Subject: [PATCH] Revert "mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte" Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2590 This reverts upstream commit 9ae0f87d009ca6c4aab2882641ddfc319727e3db. David Hildenbrand reports: Note 2: Kernels before extended uffd-wp support and before PageAnonExclusive (< 5.19) can simply revert the problematic commit instead and be safe regarding UFFDIO_CONTINUE. A backport to v5.19 requires minor adjustments due to lack of vma_soft_dirty_enabled(). Link: https://lore.kernel.org/linux-mm/20220808073232.8808-1-david@redhat.com/ Gbp-Pq: Topic bugfix/all Gbp-Pq: Name Revert-mm-shmem-unconditionally-set-pte-dirty-in-mfi.patch --- mm/shmem.c | 1 + mm/userfaultfd.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/mm/shmem.c b/mm/shmem.c index 0fcd0cfea35..d38c4f8cbc5 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2401,6 +2401,7 @@ int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, shmem_recalc_inode(inode); spin_unlock_irq(&info->lock); + SetPageDirty(page); unlock_page(page); return 0; out_delete_from_cache: diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 128b17fe981..d01c67304bd 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -69,9 +69,10 @@ int mfill_atomic_install_pte(struct mm_struct *dst_mm, pmd_t *dst_pmd, pgoff_t offset, max_off; _dst_pte = mk_pte(page, dst_vma->vm_page_prot); - _dst_pte = pte_mkdirty(_dst_pte); if (page_in_cache && !vm_shared) writable = false; + if (writable || !page_in_cache) + _dst_pte = pte_mkdirty(_dst_pte); /* * Always mark a PTE as write-protected when needed, regardless of -- 2.30.2