From f7c9493c5966c88a9f5a3453d623b5cccc32d2ac Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Fri, 9 Dec 2022 12:14:49 -0800
Subject: [PATCH] fuxup: check vm_start/vm_end after locking in
 lock_vma_under_rcu

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---
 mm/memory.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index e4e958ec75ea..59d1ef04be0d 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -5278,6 +5278,7 @@ retry:
 	if (!vma)
 		goto inval;
 
+	/* Only anonymous vmas are supported for now */
 	if (!vma_is_anonymous(vma))
 		goto inval;
 
@@ -5292,8 +5293,12 @@ retry:
 	if (userfaultfd_armed(vma))
 		goto inval;
 
-	if (!vma_read_trylock(vma)) {
-		count_vm_vma_lock_event(VMA_LOCK_ABORT);
+	if (!vma_read_trylock(vma))
+		goto inval;
+
+	/* Check since vm_start/vm_end might change before we lock the VMA */
+	if (unlikely(address < vma->vm_start || address >= vma->vm_end)) {
+		vma_read_unlock(vma);
 		goto inval;
 	}
 
@@ -5312,6 +5317,7 @@ retry:
 	return vma;
 inval:
 	rcu_read_unlock();
+	count_vm_vma_lock_event(VMA_LOCK_ABORT);
 	return NULL;
 }
 #endif /* CONFIG_PER_VMA_LOCK */
-- 
2.50.1