www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Liam R. Howlett <Liam.Howlett@oracle.com>
	Wed, 5 Apr 2023 19:33:57 +0000 (15:33 -0400)
committer	Liam R. Howlett <Liam.Howlett@oracle.com>
	Thu, 6 Apr 2023 15:09:00 +0000 (11:09 -0400)
commit	5a21388ce113248a608e0d1c2bb014fb7f70683d
tree	c97c1b733c5a294a61934cd212da550ecd3ca197	tree
parent	71f658b51f19c8e5d58932c77967e887581c667c	commit \| diff

mm/mempolicy: Fix use-after-free of VMA iterator

set_mempolicy_home_node() iterates over a list of VMAs and calls
mbind_range() on each VMA, which also iterates over the singular list of
the VMA passed in and potentially splits the VMA.  Since the VMA
iterator is not passed through, set_mempolicy_home_node() may now point
to a stale node in the VMA tree.  This can result in a UAF as reported
by syzbot.

Avoid the stale maple tree node by passing the VMA iterator through to
the underlying call to split_vma().

mbind_range() is also overly complicated, since there are two calling
functions and one already handles iterating over the VMAs.  Simplify
mbind_range() to only handle merging and splitting of the VMAs.

Align the new loop in do_mbind() and existing loop in
set_mempolicy_home_node() to use the reduced mbind_range() function.
This allows for a single location of the range calculation and avoids
constantly looking up the previous VMA (since this is a loop over the
VMAs).

Link: https://lore.kernel.org/linux-mm/000000000000c93feb05f87e24ad@google.com/
Reported-by: syzbot+a7c1ec5b1d71ceaa5186@syzkaller.appspotmail.com
Fixes: 66850be55e8e ("mm/mempolicy: use vma iterator & maple state instead of vma linked list")
Cc: <stable@vger.kernel.org>
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>