@@ -2394,6 +2394,7 @@ int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
shmem_recalc_inode(inode);
spin_unlock_irq(&info->lock);
+ SetPageDirty(page);
unlock_page(page);
return 0;
out_delete_from_cache:
@@ -69,9 +69,10 @@ int mfill_atomic_install_pte(struct mm_struct *dst_mm, pmd_t *dst_pmd,
pgoff_t offset, max_off;
_dst_pte = mk_pte(page, dst_vma->vm_page_prot);
- _dst_pte = pte_mkdirty(_dst_pte);
if (page_in_cache && !vm_shared)
writable = false;
+ if (writable || !page_in_cache)
+ _dst_pte = pte_mkdirty(_dst_pte);
/*
* Always mark a PTE as write-protected when needed, regardless of
This reverts commit 9ae0f87d009ca6c4aab2882641ddfc319727e3db. Otherwise, pages might be set dirty even if they are not writable, which tricks the kernel into not breaking COW, allowing shmem files without write permissions to be modified. CVE-2022-2590 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> --- mm/shmem.c | 1 + mm/userfaultfd.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-)