mm: write-lock VMAs before removing them from VMA tree

Write-locking VMAs before isolating them ensures that page fault handlers
don't operate on isolated VMAs.

Link: https://lkml.kernel.org/r/20230227173632.3292573-19-surenb@google.com
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/mmap.c b/mm/mmap.c
index ebe6dc17198fc0d2304f9b0e51ca59fa6ac06226..680aecc1d5b62aa490eec56b6df01eb53befad1e 100644 (file)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2254,6 +2254,7 @@ int split_vma(struct vma_iterator *vmi, struct vm_area_struct *vma,
 static inline int munmap_sidetree(struct vm_area_struct *vma,
                                   struct ma_state *mas_detach)
 {
+       vma_start_write(vma);
        mas_set_range(mas_detach, vma->vm_start, vma->vm_end - 1);
        if (mas_store_gfp(mas_detach, vma, GFP_KERNEL))
                return -ENOMEM;

diff --git a/mm/nommu.c b/mm/nommu.c
index 57ba243c6a37f466962891f6d71b7dc0910ffce7..2ab162d773e217264e85c5a95668ac8d2bd6d999 100644 (file)
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -588,6 +588,7 @@ static int delete_vma_from_mm(struct vm_area_struct *vma)
                       current->pid);
                return -ENOMEM;
        }
+       vma_start_write(vma);
        cleanup_vma_from_mm(vma);
 
        /* remove from the MM's tree and list */
@@ -1519,6 +1520,10 @@ void exit_mmap(struct mm_struct *mm)
         */
        mmap_write_lock(mm);
        for_each_vma(vmi, vma) {
+               /*
+                * No need to lock VMA because this is the only mm user and no
+                * page fault handled can race with it.
+                */
                cleanup_vma_from_mm(vma);
                delete_vma(mm, vma);
                cond_resched();