Commit 59f2f4b8 authored by Liam Howlett's avatar Liam Howlett Committed by Linus Torvalds

fs/userfaultfd: Fix maple tree iterator in userfaultfd_unregister()

When iterating the VMAs, the maple state needs to be invalidated if the
tree is modified by a split or merge to ensure the maple tree node
contained in the maple state is still valid.  These invalidations were
missed, so add them to the paths which alter the tree.

Reported-by: syzbot+0d2014e4da2ccced5b41@syzkaller.appspotmail.com
Fixes: 69dbe6da (userfaultfd: use maple tree iterator to iterate VMAs)
Signed-off-by: default avatarLiam R. Howlett <Liam.Howlett@oracle.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent a1de832b
...@@ -1630,17 +1630,20 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, ...@@ -1630,17 +1630,20 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
NULL_VM_UFFD_CTX, anon_vma_name(vma)); NULL_VM_UFFD_CTX, anon_vma_name(vma));
if (prev) { if (prev) {
vma = prev; vma = prev;
mas_pause(&mas);
goto next; goto next;
} }
if (vma->vm_start < start) { if (vma->vm_start < start) {
ret = split_vma(mm, vma, start, 1); ret = split_vma(mm, vma, start, 1);
if (ret) if (ret)
break; break;
mas_pause(&mas);
} }
if (vma->vm_end > end) { if (vma->vm_end > end) {
ret = split_vma(mm, vma, end, 0); ret = split_vma(mm, vma, end, 0);
if (ret) if (ret)
break; break;
mas_pause(&mas);
} }
next: next:
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment