{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-47531","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-24T15:02:54.826Z","datePublished":"2024-05-24T15:09:41.360Z","dateUpdated":"2025-05-04T07:12:58.096Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:12:58.096Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm: Fix mmap to include VM_IO and VM_DONTDUMP\n\nIn commit 510410bfc034 (\"drm/msm: Implement mmap as GEM object\nfunction\") we switched to a new/cleaner method of doing things. That's\ngood, but we missed a little bit.\n\nBefore that commit, we used to _first_ run through the\ndrm_gem_mmap_obj() case where `obj->funcs->mmap()` was NULL. That meant\nthat we ran:\n\n  vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;\n  vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags));\n  vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot);\n\n...and _then_ we modified those mappings with our own. Now that\n`obj->funcs->mmap()` is no longer NULL we don't run the default\ncode. It looks like the fact that the vm_flags got VM_IO / VM_DONTDUMP\nwas important because we're now getting crashes on Chromebooks that\nuse ARC++ while logging out. Specifically a crash that looks like this\n(this is on a 5.10 kernel w/ relevant backports but also seen on a\n5.15 kernel):\n\n  Unable to handle kernel paging request at virtual address ffffffc008000000\n  Mem abort info:\n    ESR = 0x96000006\n    EC = 0x25: DABT (current EL), IL = 32 bits\n    SET = 0, FnV = 0\n    EA = 0, S1PTW = 0\n  Data abort info:\n    ISV = 0, ISS = 0x00000006\n    CM = 0, WnR = 0\n  swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000008293d000\n  [ffffffc008000000] pgd=00000001002b3003, p4d=00000001002b3003,\n                     pud=00000001002b3003, pmd=0000000000000000\n  Internal error: Oops: 96000006 [#1] PREEMPT SMP\n  [...]\n  CPU: 7 PID: 15734 Comm: crash_dump64 Tainted: G W 5.10.67 #1 [...]\n  Hardware name: Qualcomm Technologies, Inc. sc7280 IDP SKU2 platform (DT)\n  pstate: 80400009 (Nzcv daif +PAN -UAO -TCO BTYPE=--)\n  pc : __arch_copy_to_user+0xc0/0x30c\n  lr : copyout+0xac/0x14c\n  [...]\n  Call trace:\n   __arch_copy_to_user+0xc0/0x30c\n   copy_page_to_iter+0x1a0/0x294\n   process_vm_rw_core+0x240/0x408\n   process_vm_rw+0x110/0x16c\n   __arm64_sys_process_vm_readv+0x30/0x3c\n   el0_svc_common+0xf8/0x250\n   do_el0_svc+0x30/0x80\n   el0_svc+0x10/0x1c\n   el0_sync_handler+0x78/0x108\n   el0_sync+0x184/0x1c0\n  Code: f8408423 f80008c3 910020c6 36100082 (b8404423)\n\nLet's add the two flags back in.\n\nWhile we're at it, the fact that we aren't running the default means\nthat we _don't_ need to clear out VM_PFNMAP, so remove that and save\nan instruction.\n\nNOTE: it was confirmed that VM_IO was the important flag to fix the\nproblem I was seeing, but adding back VM_DONTDUMP seems like a sane\nthing to do so I'm doing that too."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/msm/msm_gem.c"],"versions":[{"version":"510410bfc034c57cc3caf1572aa47c1017bab2f9","lessThan":"8e2b7fe5e8a4be5e571561d9afcfbd92097288ba","status":"affected","versionType":"git"},{"version":"510410bfc034c57cc3caf1572aa47c1017bab2f9","lessThan":"3466d9e217b337bf473ee629c608e53f9f3ab786","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/msm/msm_gem.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"5.15.7","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8e2b7fe5e8a4be5e571561d9afcfbd92097288ba"},{"url":"https://git.kernel.org/stable/c/3466d9e217b337bf473ee629c608e53f9f3ab786"}],"title":"drm/msm: Fix mmap to include VM_IO and VM_DONTDUMP","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T05:39:59.773Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/8e2b7fe5e8a4be5e571561d9afcfbd92097288ba","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/3466d9e217b337bf473ee629c608e53f9f3ab786","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2021-47531","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T15:35:23.631797Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:33:21.334Z"}}]}}