From: Liam R. Howlett <Liam.Howlett@Oracle.com>
Date: Tue, 27 Aug 2024 16:46:51 +0000 (-0400)
Subject: mm/vma: Fix null pointer dereference in vms_abort_munmap_vmas()
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=1931b24e8d4c1d3c33e974c8761cb804a4e2e2b7;p=users%2Fjedix%2Flinux-maple.git

mm/vma: Fix null pointer dereference in vms_abort_munmap_vmas()

Don't pass a NULL vma to the vma_iter_store(), instead set up the maple
state for the store and do it manually.  vma_iter_clear() cannot be used
as it needs preallocations.

Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
---

diff --git a/mm/vma.h b/mm/vma.h
index f710812482a1..5f525d723390 100644
--- a/mm/vma.h
+++ b/mm/vma.h
@@ -173,6 +173,7 @@ static inline void reattach_vmas(struct ma_state *mas_detach)
 static inline void vms_abort_munmap_vmas(struct vma_munmap_struct *vms,
 		struct ma_state *mas_detach)
 {
+	struct ma_state *mas = &vms->vmi->mas;
 	if (!vms->nr_pages)
 		return;
 
@@ -184,13 +185,14 @@ static inline void vms_abort_munmap_vmas(struct vma_munmap_struct *vms,
 	 * not symmetrical and state data has been lost.  Resort to the old
 	 * failure method of leaving a gap where the MAP_FIXED mapping failed.
 	 */
-	if (unlikely(vma_iter_store_gfp(vms->vmi, NULL, GFP_KERNEL))) {
+	mas_set_range(mas, vms->start, vms->end);
+	if (unlikely(mas_store_gfp(mas, NULL, GFP_KERNEL))) {
 		pr_warn_once("%s: (%d) Unable to abort munmap() operation\n",
 			     current->comm, current->pid);
 		/* Leaving vmas detached and in-tree may hamper recovery */
 		reattach_vmas(mas_detach);
 	} else {
-		/* Clean up the insertion of unfortunate the gap */
+		/* Clean up the insertion of the unfortunate gap */
 		vms_complete_munmap_vmas(vms, mas_detach);
 	}
 }