x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()

JIRA: https://issues.redhat.com/browse/RHEL-104908
CVE: CVE-2025-22090

This patch is a backport of the following upstream commit:
commit dc84bc2
Author: David Hildenbrand <[email protected]>
Date:   Fri Mar 21 12:23:23 2025 +0100

    x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()

    If track_pfn_copy() fails, we already added the dst VMA to the maple
    tree. As fork() fails, we'll cleanup the maple tree, and stumble over
    the dst VMA for which we neither performed any reservation nor copied
    any page tables.

    Consequently untrack_pfn() will see VM_PAT and try obtaining the
    PAT information from the page table -- which fails because the page
    table was not copied.

    The easiest fix would be to simply clear the VM_PAT flag of the dst VMA
    if track_pfn_copy() fails. However, the whole thing is about "simply"
    clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy()
    and performed a reservation, but copying the page tables fails, we'll
    simply clear the VM_PAT flag, not properly undoing the reservation ...
    which is also wrong.

    So let's fix it properly: set the VM_PAT flag only if the reservation
    succeeded (leaving it clear initially), and undo the reservation if
    anything goes wrong while copying the page tables: clearing the VM_PAT
    flag after undoing the reservation.

    Note that any copied page table entries will get zapped when the VMA will
    get removed later, after copy_page_range() succeeded; as VM_PAT is not set
    then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be
    happy. Note that leaving these page tables in place without a reservation
    is not a problem, as we are aborting fork(); this process will never run.

    A reproducer can trigger this usually at the first try:

      https://gitlab.com/davidhildenbrand/scratchspace/-/raw/main/reproducers/pat_fork.c

      WARNING: CPU: 26 PID: 11650 at arch/x86/mm/pat/memtype.c:983 get_pat_info+0xf6/0x110
      Modules linked in: ...
      CPU: 26 UID: 0 PID: 11650 Comm: repro3 Not tainted 6.12.0-rc5+ #92
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
      RIP: 0010:get_pat_info+0xf6/0x110
      ...
      Call Trace:
       <TASK>
       ...
       untrack_pfn+0x52/0x110
       unmap_single_vma+0xa6/0xe0
       unmap_vmas+0x105/0x1f0
       exit_mmap+0xf6/0x460
       __mmput+0x4b/0x120
       copy_process+0x1bf6/0x2aa0
       kernel_clone+0xab/0x440
       __do_sys_clone+0x66/0x90
       do_syscall_64+0x95/0x180

    Likely this case was missed in:

      d155df5 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed")

    ... and instead of undoing the reservation we simply cleared the VM_PAT flag.

    Keep the documentation of these functions in include/linux/pgtable.h,
    one place is more than sufficient -- we should clean that up for the other
    functions like track_pfn_remap/untrack_pfn separately.

    Fixes: d155df5 ("x86/mm/pat: clear VM_PAT if copy_p4d_range failed")
    Fixes: 2ab6403 ("x86: PAT: hooks in generic vm code to help archs to track pfnmap regions - v3")
    Reported-by: xingwei lee <[email protected]>
    Reported-by: yuxin wang <[email protected]>
    Reported-by: Marius Fleischer <[email protected]>
    Signed-off-by: David Hildenbrand <[email protected]>
    Signed-off-by: Ingo Molnar <[email protected]>
    Cc: Andy Lutomirski <[email protected]>
    Cc: Peter Zijlstra <[email protected]>
    Cc: Rik van Riel <[email protected]>
    Cc: "H. Peter Anvin" <[email protected]>
    Cc: Linus Torvalds <[email protected]>
    Cc: Andrew Morton <[email protected]>
    Cc: [email protected]
    Link: https://lore.kernel.org/r/[email protected]
    Closes: https://lore.kernel.org/lkml/CABOYnLx_dnqzpCW99G81DmOr+2UzdmZMk=T3uxwNxwz+R1RAwg@mail.gmail.com/
    Closes: https://lore.kernel.org/lkml/CAJg=8jwijTP5fre8woS4JVJQ8iUA6v+iNcsOgtj9Zfpc3obDOQ@mail.gmail.com/

Signed-off-by: Audra Mitchell <[email protected]>

Author: Audra Mitchell

arch/x86/mm/pat/memtype.c

@@ -1000,29 +1000,42 @@ static int get_pat_info(struct vm_area_struct *vma, resource_size_t *paddr,
 	return -EINVAL;
 }
 
-/*
- * track_pfn_copy is called when vma that is covering the pfnmap gets
- * copied through copy_page_range().
- *
- * If the vma has a linear pfn mapping for the entire range, we get the prot
- * from pte and reserve the entire vma range with single reserve_pfn_range call.
- */
-int track_pfn_copy(struct vm_area_struct *vma)
+int track_pfn_copy(struct vm_area_struct *dst_vma,
+		struct vm_area_struct *src_vma, unsigned long *pfn)
 {
+	const unsigned long vma_size = src_vma->vm_end - src_vma->vm_start;
 	resource_size_t paddr;
-	unsigned long vma_size = vma->vm_end - vma->vm_start;
 	pgprot_t pgprot;
+	int rc;
 
-	if (vma->vm_flags & VM_PAT) {
-		if (get_pat_info(vma, &paddr, &pgprot))
-			return -EINVAL;
-		/* reserve the whole chunk covered by vma. */
-		return reserve_pfn_range(paddr, vma_size, &pgprot, 1);
-	}
+	if (!(src_vma->vm_flags & VM_PAT))
+		return 0;
+
+	/*
+	 * Duplicate the PAT information for the dst VMA based on the src
+	 * VMA.
+	 */
+	if (get_pat_info(src_vma, &paddr, &pgprot))
+		return -EINVAL;
+	rc = reserve_pfn_range(paddr, vma_size, &pgprot, 1);
+	if (rc)
+		return rc;
 
+	/* Reservation for the destination VMA succeeded. */
+	vm_flags_set(dst_vma, VM_PAT);
+	*pfn = PHYS_PFN(paddr);
 	return 0;
 }
 
+void untrack_pfn_copy(struct vm_area_struct *dst_vma, unsigned long pfn)
+{
+	untrack_pfn(dst_vma, pfn, dst_vma->vm_end - dst_vma->vm_start, true);
+	/*
+	 * Reservation was freed, any copied page tables will get cleaned
+	 * up later, but without getting PAT involved again.
+	 */
+}
+
 /*
  * prot is passed in as a parameter for the new mapping. If the vma has
  * a linear pfn mapping for the entire range, or no vma is provided,
@@ -1111,15 +1124,6 @@ void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn,
 	}
 }
 
-/*
- * untrack_pfn_clear is called if the following situation fits:
- *
- * 1) while mremapping a pfnmap for a new region,  with the old vma after
- * its pfnmap page table has been removed.  The new vma has a new pfnmap
- * to the same pfn & cache type with VM_PAT set.
- * 2) while duplicating vm area, the new vma fails to copy the pgtable from
- * old vma.
- */
 void untrack_pfn_clear(struct vm_area_struct *vma)
 {
 	vm_flags_clear(vma, VM_PAT);

include/linux/pgtable.h

@@ -1277,14 +1277,25 @@ static inline void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot,
 }
 
 /*
- * track_pfn_copy is called when vma that is covering the pfnmap gets
- * copied through copy_page_range().
+ * track_pfn_copy is called when a VM_PFNMAP VMA is about to get the page
+ * tables copied during copy_page_range(). On success, stores the pfn to be
+ * passed to untrack_pfn_copy().
  */
-static inline int track_pfn_copy(struct vm_area_struct *vma)
+static inline int track_pfn_copy(struct vm_area_struct *dst_vma,
+		struct vm_area_struct *src_vma, unsigned long *pfn)
 {
 	return 0;
 }
 
+/*
+ * untrack_pfn_copy is called when a VM_PFNMAP VMA failed to copy during
+ * copy_page_range(), but after track_pfn_copy() was already called.
+ */
+static inline void untrack_pfn_copy(struct vm_area_struct *dst_vma,
+		unsigned long pfn)
+{
+}
+
 /*
  * untrack_pfn is called while unmapping a pfnmap for a region.
  * untrack can be called for a specific region indicated by pfn and size or
@@ -1297,8 +1308,10 @@ static inline void untrack_pfn(struct vm_area_struct *vma,
 }
 
 /*
- * untrack_pfn_clear is called while mremapping a pfnmap for a new region
- * or fails to copy pgtable during duplicate vm area.
+ * untrack_pfn_clear is called in the following cases on a VM_PFNMAP VMA:
+ *
+ * 1) During mremap() on the src VMA after the page tables were moved.
+ * 2) During fork() on the dst VMA, immediately after duplicating the src VMA.
  */
 static inline void untrack_pfn_clear(struct vm_area_struct *vma)
 {
@@ -1309,7 +1322,10 @@ extern int track_pfn_remap(struct vm_area_struct *vma, pgprot_t *prot,
 			   unsigned long size);
 extern void track_pfn_insert(struct vm_area_struct *vma, pgprot_t *prot,
 			     pfn_t pfn);
-extern int track_pfn_copy(struct vm_area_struct *vma);
+extern int track_pfn_copy(struct vm_area_struct *dst_vma,
+		struct vm_area_struct *src_vma, unsigned long *pfn);
+extern void untrack_pfn_copy(struct vm_area_struct *dst_vma,
+		unsigned long pfn);
 extern void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn,
 			unsigned long size, bool mm_wr_locked);
 extern void untrack_pfn_clear(struct vm_area_struct *vma);

kernel/fork.c

@@ -522,6 +522,10 @@ struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig)
 	vma_numab_state_init(new);
 	dup_anon_vma_name(orig, new);
 
+	/* track_pfn_copy() will later take care of copying internal state. */
+	if (unlikely(new->vm_flags & VM_PFNMAP))
+		untrack_pfn_clear(new);
+
 	return new;
 }
 

mm/memory.c

@@ -1279,12 +1279,12 @@ int
 copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
 {
 	pgd_t *src_pgd, *dst_pgd;
-	unsigned long next;
 	unsigned long addr = src_vma->vm_start;
 	unsigned long end = src_vma->vm_end;
 	struct mm_struct *dst_mm = dst_vma->vm_mm;
 	struct mm_struct *src_mm = src_vma->vm_mm;
 	struct mmu_notifier_range range;
+	unsigned long next, pfn;
 	bool is_cow;
 	int ret;
 
@@ -1295,11 +1295,7 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
 		return copy_hugetlb_page_range(dst_mm, src_mm, dst_vma, src_vma);
 
 	if (unlikely(src_vma->vm_flags & VM_PFNMAP)) {
-		/*
-		 * We do not free on error cases below as remove_vma
-		 * gets called on error from higher level routine
-		 */
-		ret = track_pfn_copy(src_vma);
+		ret = track_pfn_copy(dst_vma, src_vma, &pfn);
 		if (ret)
 			return ret;
 	}
@@ -1336,7 +1332,6 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
 			continue;
 		if (unlikely(copy_p4d_range(dst_vma, src_vma, dst_pgd, src_pgd,
 					    addr, next))) {
-			untrack_pfn_clear(dst_vma);
 			ret = -ENOMEM;
 			break;
 		}
@@ -1346,6 +1341,8 @@ copy_page_range(struct vm_area_struct *dst_vma, struct vm_area_struct *src_vma)
 		raw_write_seqcount_end(&src_mm->write_protect_seq);
 		mmu_notifier_invalidate_range_end(&range);
 	}
+	if (ret && unlikely(src_vma->vm_flags & VM_PFNMAP))
+		untrack_pfn_copy(dst_vma, pfn);
 	return ret;
 }