From: Liam Howlett <liam.howlett@oracle.com>
Date: Mon, 7 Nov 2022 20:11:42 +0000 (+0000)
Subject: fs/userfaultfd: Fix maple tree iterator in userfaultfd_unregister()
X-Git-Tag: v6.1-rc5~32
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=59f2f4b8a757412fce372f6d0767bdb55da127a8;p=platform%2Fkernel%2Flinux-starfive.git

fs/userfaultfd: Fix maple tree iterator in userfaultfd_unregister()

When iterating the VMAs, the maple state needs to be invalidated if the
tree is modified by a split or merge to ensure the maple tree node
contained in the maple state is still valid.  These invalidations were
missed, so add them to the paths which alter the tree.

Reported-by: syzbot+0d2014e4da2ccced5b41@syzkaller.appspotmail.com
Fixes: 69dbe6daf104 (userfaultfd: use maple tree iterator to iterate VMAs)
Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 07c81ab..98ac37e 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1630,17 +1630,20 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
 				 NULL_VM_UFFD_CTX, anon_vma_name(vma));
 		if (prev) {
 			vma = prev;
+			mas_pause(&mas);
 			goto next;
 		}
 		if (vma->vm_start < start) {
 			ret = split_vma(mm, vma, start, 1);
 			if (ret)
 				break;
+			mas_pause(&mas);
 		}
 		if (vma->vm_end > end) {
 			ret = split_vma(mm, vma, end, 0);
 			if (ret)
 				break;
+			mas_pause(&mas);
 		}
 	next:
 		/*