From: Lorenzo Stoakes Date: Sat, 16 Aug 2025 07:37:41 +0000 (+0100) Subject: mm/mremap: do not incorrectly reference invalid VMA in VM_WARN_ON_ONCE() X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=115e16c58c1fce3bfe16852dddb9bde7fb95cea3;p=users%2Fjedix%2Flinux-maple.git mm/mremap: do not incorrectly reference invalid VMA in VM_WARN_ON_ONCE() The VMA which is referenced here may have since been merged (which is the entire point of the warning), and yet we still reference it. Fix this by storing whether or not a multi move is permitted ahead of time and have the VM_WARN_ON_ONCE() be predicated on this. Link: https://lkml.kernel.org/r/b6dbda20-667e-4053-abae-8ed4fa84bb6c@lucifer.local Reported-by: syzbot+4e221abf50259362f4f4@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/689ff5f6.050a0220.e29e5.0030.GAE@google.com/ Signed-off-by: Lorenzo Stoakes Reviewed-by: Vlastimil Babka Signed-off-by: Andrew Morton --- diff --git a/mm/mremap.c b/mm/mremap.c index 18aa0b3b828f..33b642076205 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -1837,6 +1837,7 @@ static unsigned long remap_move(struct vma_remap_struct *vrm) unsigned long addr = max(vma->vm_start, start); unsigned long len = min(end, vma->vm_end) - addr; unsigned long offset, res_vma; + bool multi_allowed; /* No gap permitted at the start of the range. */ if (!seen_vma && start < vma->vm_start) @@ -1865,7 +1866,8 @@ static unsigned long remap_move(struct vma_remap_struct *vrm) vrm->new_addr = target_addr + offset; vrm->old_len = vrm->new_len = len; - if (!vma_multi_allowed(vma)) { + multi_allowed = vma_multi_allowed(vma); + if (!multi_allowed) { /* This is not the first VMA, abort immediately. */ if (seen_vma) return -EFAULT; @@ -1881,8 +1883,7 @@ static unsigned long remap_move(struct vma_remap_struct *vrm) return res_vma; if (!seen_vma) { - VM_WARN_ON_ONCE(vma_multi_allowed(vma) && - res_vma != new_addr); + VM_WARN_ON_ONCE(multi_allowed && res_vma != new_addr); res = res_vma; }