www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Liam R. Howlett <Liam.Howlett@oracle.com>
	Wed, 14 Jun 2023 22:30:35 +0000 (18:30 -0400)
committer	Liam R. Howlett <Liam.Howlett@oracle.com>
	Thu, 15 Jun 2023 20:04:37 +0000 (16:04 -0400)
commit	7bcfe276a26be4d2e3f480099f1a4ad4f5eb3d22
tree	bf9c16efd884c8c4db8c3fd92cef1c9a93618adf	tree
parent	9561de3a55bed6bdd44a12820ba81ec416e705a7	commit \| diff

mm/mmap: Fix use-after-free when expanding the VMA

Expanding the VMA can cause new maple tree nodes to be used if a gap
disappears, or the VMA expands beyond the node boundary into the
preceding node (GROWSUP only). Since the expansion only takes the read
lock and other readers are not taking the rcu read lock, other walkers
may still have a pointer to the freed node.

Fix the use-after-free by dropping the read lock and obtaining the write
lock in these cases. In the case of GROWSUP, ensure the write lock is
always taken.

Fixes: d4af56c5c7c6 ("mm: start tracking VMAs with maple tree")
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+f3728183b2f78d0d40f6@syzkaller.appspotmail.com
Reported-by: Ruihan Li <lrh2000@pku.edu.cn>
Co-Developed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>

arch/x86/mm/fault.c		diff \| blob \| history
fs/binfmt_elf.c		diff \| blob \| history
fs/exec.c		diff \| blob \| history
include/linux/mm.h		diff \| blob \| history
mm/mmap.c		diff \| blob \| history
mm/nommu.c		diff \| blob \| history