mremap: CVE-2018-18281intel-4.9

mremap: properly flush TLB before releasing the page

References:
https://nvd.nist.gov/vuln/detail/CVE-2018-18281
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e34bd9a96704f7089ccad61b6e01ea985fa54dd6

Change-Id: Iae36afb200b136808d0e1a81fd1f1ded24fe9c71
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 183 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index b4740c7..cdc7341 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -23,6 +23,9 @@ patch CVE-2018-13099-f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of.patch
 #CVEs fixed in 4.9.131:
 patch CVE-2018-10880-ext4-never-move-the-system.data-xattr-out-of-the-ino.patch
 
+#CVEs fixed in 4.9.135:
+patch CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch
+
 #CVEs fixed in 4.9.138:
 patch CVE-2018-16871-nfsd-COPY-and-CLONE-operations-require-the-saved-fil.patch
 
diff --git a/patches/cve/CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch b/patches/cve/CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch
new file mode 100644
index 0000000..e1424d0
--- /dev/null
+++ b/patches/cve/CVE-2018-18281-mremap-properly-flush-TLB-before-releasing-the-page.patch
@@ -0,0 +1,180 @@
+From e34bd9a96704f7089ccad61b6e01ea985fa54dd6 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Fri, 12 Oct 2018 15:22:59 -0700
+Subject: [PATCH] mremap: properly flush TLB before releasing the page
+
+commit eb66ae030829605d61fbef1909ce310e29f78821 upstream.
+
+Jann Horn points out that our TLB flushing was subtly wrong for the
+mremap() case.  What makes mremap() special is that we don't follow the
+usual "add page to list of pages to be freed, then flush tlb, and then
+free pages".  No, mremap() obviously just _moves_ the page from one page
+table location to another.
+
+That matters, because mremap() thus doesn't directly control the
+lifetime of the moved page with a freelist: instead, the lifetime of the
+page is controlled by the page table locking, that serializes access to
+the entry.
+
+As a result, we need to flush the TLB not just before releasing the lock
+for the source location (to avoid any concurrent accesses to the entry),
+but also before we release the destination page table lock (to avoid the
+TLB being flushed after somebody else has already done something to that
+page).
+
+This also makes the whole "need_flush" logic unnecessary, since we now
+always end up flushing the TLB for every valid entry.
+
+CVE: CVE-2018-18281
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=e34bd9a96704f7089ccad61b6e01ea985fa54dd6]
+
+Reported-and-tested-by: Jann Horn <jannh@google.com>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ include/linux/huge_mm.h |  2 +-
+ mm/huge_memory.c        | 10 ++++------
+ mm/mremap.c             | 30 +++++++++++++-----------------
+ 3 files changed, 18 insertions(+), 24 deletions(-)
+
+diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
+index e35e6de633b9..9b9f65d99873 100644
+--- a/include/linux/huge_mm.h
++++ b/include/linux/huge_mm.h
+@@ -22,7 +22,7 @@ extern int mincore_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
+                        unsigned char *vec);
+ extern bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
+                         unsigned long new_addr, unsigned long old_end,
+-                        pmd_t *old_pmd, pmd_t *new_pmd, bool *need_flush);
++                        pmd_t *old_pmd, pmd_t *new_pmd);
+ extern int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
+                        unsigned long addr, pgprot_t newprot,
+                        int prot_numa);
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index e4c6c3edaf6a..9f7bba700e4e 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1445,7 +1445,7 @@ int zap_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ 
+ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
+                  unsigned long new_addr, unsigned long old_end,
+-                 pmd_t *old_pmd, pmd_t *new_pmd, bool *need_flush)
++                 pmd_t *old_pmd, pmd_t *new_pmd)
+ {
+        spinlock_t *old_ptl, *new_ptl;
+        pmd_t pmd;
+@@ -1476,7 +1476,7 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
+                if (new_ptl != old_ptl)
+                        spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING);
+                pmd = pmdp_huge_get_and_clear(mm, old_addr, old_pmd);
+-               if (pmd_present(pmd) && pmd_dirty(pmd))
++               if (pmd_present(pmd))
+                        force_flush = true;
+                VM_BUG_ON(!pmd_none(*new_pmd));
+ 
+@@ -1487,12 +1487,10 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
+                        pgtable_trans_huge_deposit(mm, new_pmd, pgtable);
+                }
+                set_pmd_at(mm, new_addr, new_pmd, pmd_mksoft_dirty(pmd));
+-               if (new_ptl != old_ptl)
+-                       spin_unlock(new_ptl);
+                if (force_flush)
+                        flush_tlb_range(vma, old_addr, old_addr + PMD_SIZE);
+-               else
+-                       *need_flush = true;
++               if (new_ptl != old_ptl)
++                       spin_unlock(new_ptl);
+                spin_unlock(old_ptl);
+                return true;
+        }
+diff --git a/mm/mremap.c b/mm/mremap.c
+index 15976716dd40..9e6035969d7b 100644
+--- a/mm/mremap.c
++++ b/mm/mremap.c
+@@ -104,7 +104,7 @@ static pte_t move_soft_dirty_pte(pte_t pte)
+ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
+                unsigned long old_addr, unsigned long old_end,
+                struct vm_area_struct *new_vma, pmd_t *new_pmd,
+-               unsigned long new_addr, bool need_rmap_locks, bool *need_flush)
++               unsigned long new_addr, bool need_rmap_locks)
+ {
+        struct mm_struct *mm = vma->vm_mm;
+        pte_t *old_pte, *new_pte, pte;
+@@ -152,15 +152,17 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
+ 
+                pte = ptep_get_and_clear(mm, old_addr, old_pte);
+                /*
+-                * If we are remapping a dirty PTE, make sure
++                * If we are remapping a valid PTE, make sure
+                 * to flush TLB before we drop the PTL for the
+-                * old PTE or we may race with page_mkclean().
++                * PTE.
+                 *
+-                * This check has to be done after we removed the
+-                * old PTE from page tables or another thread may
+-                * dirty it after the check and before the removal.
++                * NOTE! Both old and new PTL matter: the old one
++                * for racing with page_mkclean(), the new one to
++                * make sure the physical page stays valid until
++                * the TLB entry for the old mapping has been
++                * flushed.
+                 */
+-               if (pte_present(pte) && pte_dirty(pte))
++               if (pte_present(pte))
+                        force_flush = true;
+                pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
+                pte = move_soft_dirty_pte(pte);
+@@ -168,13 +170,11 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
+        }
+ 
+        arch_leave_lazy_mmu_mode();
++       if (force_flush)
++               flush_tlb_range(vma, old_end - len, old_end);
+        if (new_ptl != old_ptl)
+                spin_unlock(new_ptl);
+        pte_unmap(new_pte - 1);
+-       if (force_flush)
+-               flush_tlb_range(vma, old_end - len, old_end);
+-       else
+-               *need_flush = true;
+        pte_unmap_unlock(old_pte - 1, old_ptl);
+        if (need_rmap_locks)
+                drop_rmap_locks(vma);
+@@ -189,7 +189,6 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
+ {
+        unsigned long extent, next, old_end;
+        pmd_t *old_pmd, *new_pmd;
+-       bool need_flush = false;
+        unsigned long mmun_start;       /* For mmu_notifiers */
+        unsigned long mmun_end;         /* For mmu_notifiers */
+ 
+@@ -220,8 +219,7 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
+                                if (need_rmap_locks)
+                                        take_rmap_locks(vma);
+                                moved = move_huge_pmd(vma, old_addr, new_addr,
+-                                                   old_end, old_pmd, new_pmd,
+-                                                   &need_flush);
++                                                   old_end, old_pmd, new_pmd);
+                                if (need_rmap_locks)
+                                        drop_rmap_locks(vma);
+                                if (moved)
+@@ -239,10 +237,8 @@ unsigned long move_page_tables(struct vm_area_struct *vma,
+                if (extent > LATENCY_LIMIT)
+                        extent = LATENCY_LIMIT;
+                move_ptes(vma, old_pmd, old_addr, old_addr + extent, new_vma,
+-                         new_pmd, new_addr, need_rmap_locks, &need_flush);
++                         new_pmd, new_addr, need_rmap_locks);
+        }
+-       if (need_flush)
+-               flush_tlb_range(vma, old_end-len, old_addr);
+ 
+        mmu_notifier_invalidate_range_end(vma->vm_mm, mmun_start, mmun_end);
+ 
+-- 
+2.20.1
+