fs/userfaultfd: Fix maple tree iterator in userfaultfd_unregister()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When iterating the VMAs, the maple state needs to be invalidated if the
tree is modified by a split or merge to ensure the maple tree node
contained in the maple state is still valid. These invalidations were
missed, so add them to the paths which alter the tree.

Reported-by: syzbot+0d2014e4da2ccced5b41@syzkaller.appspotmail.com
Fixes: 69dbe6daf104 (userfaultfd: use maple tree iterator to iterate VMAs)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Liam Howlett and committed by

Linus Torvalds 3 years ago 59f2f4b8 a1de832b

1 changed file

expand all

userfaultfd.c

fs/userfaultfd.c

··· 1630 1630 NULL_VM_UFFD_CTX, anon_vma_name(vma)); 1631 1631 if (prev) { 1632 1632 vma = prev; 1633 + mas_pause(&mas); 1633 1634 goto next; 1634 1635 } 1635 1636 if (vma->vm_start < start) { 1636 1637 ret = split_vma(mm, vma, start, 1); 1637 1638 if (ret) 1638 1639 break; 1640 + mas_pause(&mas); 1639 1641 } 1640 1642 if (vma->vm_end > end) { 1641 1643 ret = split_vma(mm, vma, end, 0); 1642 1644 if (ret) 1643 1645 break; 1646 + mas_pause(&mas); 1644 1647 } 1645 1648 next: 1646 1649 /*