From: Alex Williamson <alex@shazbot.org>
To: tugrul.kukul@est.tech
Cc: gregkh@linuxfoundation.org, sashal@kernel.org,
stable@vger.kernel.org, kevin.tian@intel.com, jgg@ziepe.ca,
lorenzo.stoakes@oracle.com, david@redhat.com,
akpm@linux-foundation.org, mike.kravetz@oracle.com,
linmiaohe@huawei.com, yi.l.liu@intel.com,
axelrasmussen@google.com, leah.rumancik@gmail.com,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
david.nystrom@est.tech, alex@shazbot.org
Subject: Re: [PATCH 6.6.y 0/4] Fix CVE-2024-27022: fork/hugetlb race with vfio prerequisites
Date: Tue, 7 Apr 2026 12:16:05 -0600 [thread overview]
Message-ID: <20260407121605.17eb56d1@shazbot.org> (raw)
In-Reply-To: <20260402161311.63484-1-tugrul.kukul@est.tech>
On Thu, 2 Apr 2026 18:13:07 +0200
tugrul.kukul@est.tech wrote:
> From: Tugrul Kukul <tugrul.kukul@est.tech>
>
> This series fixes CVE-2024-27022 on 6.6 stable by first backporting the
> necessary vfio refactoring, then applying the fork fix.
>
> == Background ==
>
> CVE-2024-27022 is a race condition in dup_mmap() during fork() where a
> file-backed VMA becomes visible through the i_mmap tree before it is
> fully initialized. A concurrent hugetlbfs operation (fallocate/punch_hole)
> can access the VMA with a NULL or inconsistent vma_lock, causing a kernel
> deadlock or WARNING.
>
> The mainline fix (35e351780fa9, v6.9-rc5) defers linking the file VMA
> into the i_mmap tree until the VMA is fully initialized.
>
> == Why this hasn't been fixed in 6.6 until now ==
>
> This CVE has had a troubled backport history on 6.6 stable:
>
> 1. cec11fa2eb51 - Incomplete backport to 6.6, only moved
> hugetlb_dup_vma_private() and vm_ops->open() but left
> vma_iter_bulk_store() and mm->map_count++ in place.
> Caused xfstests failures.
>
> 2. dd782da47076 - Sam James reverted the incomplete backport. [1]
>
> 3. Leah Rumancik attempted a correct backport but discovered it
> introduced a vfio-pci ordering issue: vm_ops->open() being called
> before copy_page_range() breaks vfio-pci's zap-then-fault mechanism.
> Leah withdrew the patch. [2]
>
> 4. Axel Rasmussen backported Alex Williamson's 3 vfio refactor
> commits to both 6.9 and 6.6 stable [3][4]. The 6.9 backport was
> accepted [5], but for 6.6 Alex Williamson pointed out that the
> fork fix was still reverted — without it, the vfio patches alone
> are unnecessary. Axel withdrew the 6.6 series.
>
> 5. 6.6 stable has remained unfixed since July 2024.
>
> == This series ==
>
> This series picks up Axel's withdrawn 6.6 backport of the vfio
> refactor patches [4] and adds the missing fork fix on top, completing
> the work that was left unfinished. Patches 1-3 are Alex Williamson's
> vfio refactor (backported by Axel Rasmussen), patch 4 is the CVE fix
> adapted for 6.6 stable.
>
> 1/4 vfio: Create vfio_fs_type with inode per device
> 2/4 vfio/pci: Use unmap_mapping_range()
> 3/4 vfio/pci: Insert full vma on mmap'd MMIO fault
> 4/4 fork: defer linking file vma until vma is fully initialized
>
> == 6.6 stable adaptations ==
>
> Patch 4/4 (fork: defer linking file vma):
> - 6.6 uses vma_iter_bulk_store() which can fail, unlike mainline's
> __mt_dup(). Error handling via goto fail_nomem_vmi_store is preserved.
>
> == Testing ==
>
> CVE reproducer (custom fork/punch_hole stress test, 60s):
> - Unpatched: deadlock in hugetlb_fault within seconds
> - Patched: 2174 forks completed, zero warnings (KASAN+LOCKDEP enabled)
>
> xfstests quick group (672 tests, ext4, virtme-ng):
> - 65 failures, all pre-existing or KASAN-overhead timeouts
> - Zero patch-attributable regressions
> - Leah's 4 specific tests that caused the original revert
> (ext4/303, generic/051, generic/054, generic/069) all pass
>
> VFIO + fork stress test (CONFIG_VFIO=y, hugetlbfs):
> - CVE reproducer with vfio modules active: zero warnings
>
> Yocto CI integration (~87,900 tests per build, LTP+ptest+runtime):
> - No known regressions
>
> dmesg analysis (KASAN, LOCKDEP, PROVE_LOCKING, DEBUG_VM, DEBUG_LIST):
> - Zero memory safety, locking, or VMA state issues across ~38 hours
> of testing
>
> == References ==
>
> [1] Revert discussion:
> https://lore.kernel.org/stable/20240604004751.3883227-1-leah.rumancik@gmail.com/
>
> [2] Leah's backport attempt and vfio discovery:
> https://lore.kernel.org/stable/CACzhbgRjDNkpaQOYsUN+v+jn3E2DVxX0Q4WuQWNjfwEx4Fps6g@mail.gmail.com/T/#u
>
> [3] Axel's vfio series and Alex's feedback:
> https://lore.kernel.org/stable/20240716112530.2562c41b.alex.williamson@redhat.com/T/#u
>
> [4] Axel's 6.6 vfio series (withdrawn):
> https://lore.kernel.org/stable/20240717222429.2011540-1-axelrasmussen@google.com/T/#u
>
> [5] Axel's 6.9 vfio series (accepted):
> https://lore.kernel.org/stable/20240717213339.1921530-1-axelrasmussen@google.com/T/#u
>
> [6] CVE details:
> https://nvd.nist.gov/vuln/detail/CVE-2024-27022
>
> [7] Original report:
> https://lore.kernel.org/linux-mm/20240129161735.6gmjsswx62o4pbja@revolver/T/
>
> [8] Mainline fix:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=35e351780fa9d8240dd6f7e4f245f9ea37e96c19
>
>
> Alex Williamson (3):
> vfio: Create vfio_fs_type with inode per device
> vfio/pci: Use unmap_mapping_range()
> vfio/pci: Insert full vma on mmap'd MMIO fault
>
> Miaohe Lin (1):
> fork: defer linking file vma until vma is fully initialized
>
> drivers/vfio/device_cdev.c | 7 +
> drivers/vfio/group.c | 7 +
> drivers/vfio/pci/vfio_pci_core.c | 271 ++++++++-----------------------
> drivers/vfio/vfio_main.c | 44 +++++
> include/linux/vfio.h | 1 +
> include/linux/vfio_pci_core.h | 2 -
> kernel/fork.c | 29 ++--
> 7 files changed, 140 insertions(+), 221 deletions(-)
>
For vfio bits:
Acked-by: Alex Williamson <alex@shazbot.org>
prev parent reply other threads:[~2026-04-07 18:16 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 16:13 [PATCH 6.6.y 0/4] Fix CVE-2024-27022: fork/hugetlb race with vfio prerequisites tugrul.kukul
2026-04-02 16:13 ` [PATCH 6.6.y 1/4] vfio: Create vfio_fs_type with inode per device tugrul.kukul
2026-04-02 16:13 ` [PATCH 6.6.y 2/4] vfio/pci: Use unmap_mapping_range() tugrul.kukul
2026-04-02 16:13 ` [PATCH 6.6.y 3/4] vfio/pci: Insert full vma on mmap'd MMIO fault tugrul.kukul
2026-04-02 16:13 ` [PATCH 6.6.y 4/4] fork: defer linking file vma until vma is fully initialized tugrul.kukul
2026-04-07 18:16 ` Alex Williamson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407121605.17eb56d1@shazbot.org \
--to=alex@shazbot.org \
--cc=akpm@linux-foundation.org \
--cc=axelrasmussen@google.com \
--cc=david.nystrom@est.tech \
--cc=david@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@ziepe.ca \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=leah.rumancik@gmail.com \
--cc=linmiaohe@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mike.kravetz@oracle.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tugrul.kukul@est.tech \
--cc=yi.l.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox