The patch titled Subject: userfaultfd: fix a race between writeprotect and exit_mmap() has been added to the -mm tree. Its filename is userfaultfd-fix-a-race-between-writeprotect-and-exit_mmap.patch
This patch should soon appear at https://ozlabs.org/~akpm/mmots/broken-out/userfaultfd-fix-a-race-between-wri... and later at https://ozlabs.org/~akpm/mmotm/broken-out/userfaultfd-fix-a-race-between-wri...
Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated there every 3-4 working days
------------------------------------------------------ From: Nadav Amit namit@vmware.com Subject: userfaultfd: fix a race between writeprotect and exit_mmap()
A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called.
The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well.
Use mmget_not_zero() to prevent the race as done in other userfaultfd operations.
Link: https://lkml.kernel.org/r/20210921200247.25749-1-namit@vmware.com Fixes: 63b2d4174c4ad ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl") Signed-off-by: Nadav Amit namit@vmware.com Tested-by: Li Wang liwang@redhat.com Reviewed-by: Peter Xu peterx@redhat.com Cc: Andrea Arcangeli aarcange@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---
fs/userfaultfd.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
--- a/fs/userfaultfd.c~userfaultfd-fix-a-race-between-writeprotect-and-exit_mmap +++ a/fs/userfaultfd.c @@ -1827,9 +1827,15 @@ static int userfaultfd_writeprotect(stru if (mode_wp && mode_dontwake) return -EINVAL;
- ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, - uffdio_wp.range.len, mode_wp, - &ctx->mmap_changing); + if (mmget_not_zero(ctx->mm)) { + ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, + uffdio_wp.range.len, mode_wp, + &ctx->mmap_changing); + mmput(ctx->mm); + } else { + return -ESRCH; + } + if (ret) return ret;
_
Patches currently in -mm which might be from namit@vmware.com are
userfaultfd-fix-a-race-between-writeprotect-and-exit_mmap.patch