mm/hugetlb: address race condition in hugetlb_no_page()

Rafael Aquinirequested to merge
raquini/centos-stream-9:bz2158123 into main

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2158123
CVE: CVE-2022-3522

hugetlb_no_page() is called without holding the page table lock,
as it takes the spinlock later down the execution path, when it
really is installing the PTE in the page tables. That, however,
opens up a window for data races when evaluating the PTE value
for USERFAULTD fault handling.

Rafael Aquini (4):
mm/hugetlb: handle pte markers in page faults
mm/hugetlb: fix race condition of uffd missing/minor handling
mm/hugetlb: use hugetlb_pte_stable in migration race check
mm/selftest: uffd: explain the write missing fault check

mm/hugetlb.c | 69 +++++++++++++++++++++---
tools/testing/selftests/vm/userfaultfd.c | 22 +++++++-
2 files changed, 82 insertions(+), 9 deletions(-)

Signed-off-by: Rafael Aquini aquini@redhat.com

Edited by Rafael Aquini

Merge request reports