mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway (98b74bb4) · Commits · git / linux-net

mm/hugetlb.c

+18 −2

Original line number	Diff line number	Diff line
		@@ -6048,7 +6048,7 @@ static vm_fault_t hugetlb_wp(struct folio *pagecache_folio,
		* When the original hugepage is shared one, it does not have
		* anon_vma prepared.
		*/
		ret = vmf_anon_prepare(vmf);
		ret = __vmf_anon_prepare(vmf);
		if (unlikely(ret))
		goto out_release_all;

		@@ -6247,7 +6247,7 @@ static vm_fault_t hugetlb_no_page(struct address_space *mapping,
		}

		if (!(vma->vm_flags & VM_MAYSHARE)) {
		ret = vmf_anon_prepare(vmf);
		ret = __vmf_anon_prepare(vmf);
		if (unlikely(ret))
		goto out;
		}
		@@ -6378,6 +6378,14 @@ static vm_fault_t hugetlb_no_page(struct address_space *mapping,
		folio_unlock(folio);
		out:
		hugetlb_vma_unlock_read(vma);

		/*
		* We must check to release the per-VMA lock. __vmf_anon_prepare() is
		* the only way ret can be set to VM_FAULT_RETRY.
		*/
		if (unlikely(ret & VM_FAULT_RETRY))
		vma_end_read(vma);

		mutex_unlock(&hugetlb_fault_mutex_table[hash]);
		return ret;

		@@ -6599,6 +6607,14 @@ vm_fault_t hugetlb_fault(struct mm_struct mm, struct vm_area_struct vma,
		}
		out_mutex:
		hugetlb_vma_unlock_read(vma);

		/*
		* We must check to release the per-VMA lock. __vmf_anon_prepare() in
		* hugetlb_wp() is the only way ret can be set to VM_FAULT_RETRY.
		*/
		if (unlikely(ret & VM_FAULT_RETRY))
		vma_end_read(vma);

		mutex_unlock(&hugetlb_fault_mutex_table[hash]);
		/*
		* Generally it's safe to hold refcount during waiting page lock. But