From: Suren Baghdasaryan <surenb@google.com>
Date: Fri, 9 Dec 2022 20:14:49 +0000 (-0800)
Subject: fuxup: check vm_start/vm_end after locking in lock_vma_under_rcu
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f7c9493c5966c88a9f5a3453d623b5cccc32d2ac;p=users%2Fjedix%2Flinux-maple.git

fuxup: check vm_start/vm_end after locking in lock_vma_under_rcu

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---

diff --git a/mm/memory.c b/mm/memory.c
index e4e958ec75ea..59d1ef04be0d 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -5278,6 +5278,7 @@ retry:
 	if (!vma)
 		goto inval;
 
+	/* Only anonymous vmas are supported for now */
 	if (!vma_is_anonymous(vma))
 		goto inval;
 
@@ -5292,8 +5293,12 @@ retry:
 	if (userfaultfd_armed(vma))
 		goto inval;
 
-	if (!vma_read_trylock(vma)) {
-		count_vm_vma_lock_event(VMA_LOCK_ABORT);
+	if (!vma_read_trylock(vma))
+		goto inval;
+
+	/* Check since vm_start/vm_end might change before we lock the VMA */
+	if (unlikely(address < vma->vm_start || address >= vma->vm_end)) {
+		vma_read_unlock(vma);
 		goto inval;
 	}
 
@@ -5312,6 +5317,7 @@ retry:
 	return vma;
 inval:
 	rcu_read_unlock();
+	count_vm_vma_lock_event(VMA_LOCK_ABORT);
 	return NULL;
 }
 #endif /* CONFIG_PER_VMA_LOCK */