mm/memory.c: prevent mapping typed pages to userspace

Pages which use page_type must never be mapped to userspace as it would
destroy their page type.  Add an explicit check for this instead of
assuming that kernel drivers always get this right.

Link: http://lkml.kernel.org/r/20190129053830.3749-1-willy@infradead.org
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/mm/memory.c b/mm/memory.c
index a9897dcd530fb3abf812927a0a1090b7d59e9fe0..79e0173a7d70ea325531716a3804a0ab09a3a70c 100644 (file)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1452,7 +1452,7 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
        spinlock_t *ptl;
 
        retval = -EINVAL;
-       if (PageAnon(page) || PageSlab(page))
+       if (PageAnon(page) || PageSlab(page) || page_has_type(page))
                goto out;
        retval = -ENOMEM;
        flush_dcache_page(page);