From: Sebastian Ott <sebott@redhat.com>
Date: Fri, 29 Sep 2023 17:19:41 +0000 (-0700)
Subject: mm: fix vm_brk_flags() to not bail out while holding lock
X-Git-Tag: v6.1.61~67
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=38d0d1c44255dee222f455ee4026b5a57e9c0208;p=platform%2Fkernel%2Flinux-starfive.git

mm: fix vm_brk_flags() to not bail out while holding lock

commit e0f81ab1e4f42ffece6440dc78f583eb352b9a71 upstream.

Calling vm_brk_flags() with flags set other than VM_EXEC will exit the
function without releasing the mmap_write_lock.

Just do the sanity check before the lock is acquired.  This doesn't fix an
actual issue since no caller sets a flag other than VM_EXEC.

Link: https://lkml.kernel.org/r/20230929171937.work.697-kees@kernel.org
Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()")
Signed-off-by: Sebastian Ott <sebott@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Cc: Yu Zhao <yuzhao@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/mm/mmap.c b/mm/mmap.c
index 41a240b..8ffe3f87 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -3147,13 +3147,13 @@ int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
 	if (!len)
 		return 0;
 
-	if (mmap_write_lock_killable(mm))
-		return -EINTR;
-
 	/* Until we need other flags, refuse anything except VM_EXEC. */
 	if ((flags & (~VM_EXEC)) != 0)
 		return -EINVAL;
 
+	if (mmap_write_lock_killable(mm))
+		return -EINTR;
+
 	ret = check_brk_limits(addr, len);
 	if (ret)
 		goto limits_failed;