mm/userfaultfd: reset ptes when close() for wr-protected ones

commit c88033e
Author: Peter Xu <peterx@redhat.com>
Date:   Mon Apr 22 09:33:11 2024 -0400

    mm/userfaultfd: reset ptes when close() for wr-protected ones

    Userfaultfd unregister includes a step to remove wr-protect bits from all
    the relevant pgtable entries, but that only covered an explicit
    UFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself.  Cover
    that too.  This fixes a WARN trace.

    The only user visible side effect is the user can observe leftover
    wr-protect bits even if the user close()ed on an userfaultfd when
    releasing the last reference of it.  However hopefully that should be
    harmless, and nothing bad should happen even if so.

    This change is now more important after the recent page-table-check
    patch we merged in mm-unstable (446dd9ad37d0 ("mm/page_table_check:
    support userfault wr-protect entries")), as we'll do sanity check on
    uffd-wp bits without vma context.  So it's better if we can 100%
    guarantee no uffd-wp bit leftovers, to make sure each report will be
    valid.

    Link: https://lore.kernel.org/all/000000000000ca4df20616a0fe16@google.com/
    Fixes: f369b07 ("mm/uffd: reset write protection when unregister with wp-mode")
    Analyzed-by: David Hildenbrand <david@redhat.com>
    Link: https://lkml.kernel.org/r/20240422133311.2987675-1-peterx@redhat.com
    Reported-by: syzbot+d8426b591c36b21c750e@syzkaller.appspotmail.com
    Signed-off-by: Peter Xu <peterx@redhat.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Cc: Nadav Amit <nadav.amit@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

CVE: CVE-2024-36881
JIRA: https://issues.redhat.com/browse/RHEL-39639
Signed-off-by: Nico Pache <npache@redhat.com>

Author: PacheNico

fs/userfaultfd.c

@@ -914,6 +914,10 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
 			prev = vma;
 			continue;
 		}
+		/* Reset ptes for the whole vma range if wr-protected */
+		if (userfaultfd_wp(vma))
+			uffd_wp_range(vma, vma->vm_start,
+				      vma->vm_end - vma->vm_start, false);
 		new_flags = vma->vm_flags & ~__VM_UFFD_FLAGS;
 		prev = vma_merge(&vmi, mm, prev, vma->vm_start, vma->vm_end,
 				 new_flags, vma->anon_vma,