userfaultfd: avoid huge_zero_page in UFFDIO_MOVE

While testing UFFDIO_MOVE ioctl, syzbot triggered VM_BUG_ON_PAGE caused by
a call to PageAnonExclusive() with a huge_zero_page as a parameter.
UFFDIO_MOVE does not yet handle zeropages and returns EBUSY when one is
encountered.  Add an early huge_zero_page check in the PMD move path to
avoid this situation.

Link: https://lkml.kernel.org/r/[email protected]
Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI")
Reported-by: [email protected]
Signed-off-by: Suren Baghdasaryan <[email protected]>
Acked-by: David Hildenbrand <[email protected]>
Cc: Andrea Arcangeli <[email protected]>
Cc: Peter Xu <[email protected]>
Cc: Stephen Rothwell <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 216ab4c8621f6ba38e480ea791e7fb0283cf4944..20e3b0d9cf7ed0d59d86a11b2472f0e138160692 100644 (file)
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -1393,6 +1393,12 @@ ssize_t move_pages(struct userfaultfd_ctx *ctx, struct mm_struct *mm,
                                err = -ENOENT;
                                break;
                        }
+                       /* Avoid moving zeropages for now */
+                       if (is_huge_zero_pmd(*src_pmd)) {
+                               spin_unlock(ptl);
+                               err = -EBUSY;
+                               break;
+                       }
 
                        /* Check if we can move the pmd without splitting it. */
                        if (move_splits_huge_pmd(dst_addr, src_addr, src_start + len) ||