fuxup: check vm_start/vm_end after locking in lock_vma_under_rcu

author Suren Baghdasaryan <surenb@google.com>

Fri, 9 Dec 2022 20:14:49 +0000 (12:14 -0800)

committer Liam R. Howlett <Liam.Howlett@oracle.com>

Wed, 4 Jan 2023 20:59:27 +0000 (15:59 -0500)
author Suren Baghdasaryan <surenb@google.com>
Fri, 9 Dec 2022 20:14:49 +0000 (12:14 -0800)
committer Liam R. Howlett <Liam.Howlett@oracle.com>
Wed, 4 Jan 2023 20:59:27 +0000 (15:59 -0500)
diff --git a/mm/memory.c b/mm/memory.c

index e4e958ec75ea7efb1ddaedf7fa89fa4a18303341..59d1ef04be0d092e4993fb1586193f9af81b116f 100644 (file)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -5278,6 +5278,7 @@ retry:
         if (!vma)
                 goto inval;
  
+       /* Only anonymous vmas are supported for now */
         if (!vma_is_anonymous(vma))
                 goto inval;
  
@@ -5292,8 +5293,12 @@ retry:
         if (userfaultfd_armed(vma))
                 goto inval;
  
-       if (!vma_read_trylock(vma)) {
-               count_vm_vma_lock_event(VMA_LOCK_ABORT);
+       if (!vma_read_trylock(vma))
+               goto inval;
+
+       /* Check since vm_start/vm_end might change before we lock the VMA */
+       if (unlikely(address < vma->vm_start || address >= vma->vm_end)) {
+               vma_read_unlock(vma);
                 goto inval;
         }
  
@@ -5312,6 +5317,7 @@ retry:
         return vma;
  inval:
         rcu_read_unlock();
+       count_vm_vma_lock_event(VMA_LOCK_ABORT);
         return NULL;
  }
  #endif /* CONFIG_PER_VMA_LOCK */
author	Suren Baghdasaryan <surenb@google.com>
	Fri, 9 Dec 2022 20:14:49 +0000 (12:14 -0800)
committer	Liam R. Howlett <Liam.Howlett@oracle.com>
	Wed, 4 Jan 2023 20:59:27 +0000 (15:59 -0500)