Re: [PATCH] userfaultfd: fix a race between writeprotect and exit_mmap()

On Tue, Sep 21, 2021 at 01:02:47PM -0700, Nadav Amit wrote:

From: Nadav Amit namit@vmware.com

A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called.

The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well.

Use mmget_not_zero() to prevent the race as done in other userfaultfd operations.

Cc: Peter Xu peterx@redhat.com Cc: Andrea Arcangeli aarcange@redhat.com Cc: stable@vger.kernel.org Fixes: 63b2d4174c4ad ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl") Signed-off-by: Nadav Amit namit@vmware.com

Reviewed-by: Peter Xu peterx@redhat.com

Thanks!