 
            The patch titled Subject: userfaultfd: fix a race between writeprotect and exit_mmap() has been removed from the -mm tree. Its filename was userfaultfd-fix-a-race-between-writeprotect-and-exit_mmap.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------ From: Nadav Amit namit@vmware.com Subject: userfaultfd: fix a race between writeprotect and exit_mmap()
A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called.
The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well.
Use mmget_not_zero() to prevent the race as done in other userfaultfd operations.
Link: https://lkml.kernel.org/r/20210921200247.25749-1-namit@vmware.com Fixes: 63b2d4174c4ad ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl") Signed-off-by: Nadav Amit namit@vmware.com Tested-by: Li Wang liwang@redhat.com Reviewed-by: Peter Xu peterx@redhat.com Cc: Andrea Arcangeli aarcange@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---
fs/userfaultfd.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
--- a/fs/userfaultfd.c~userfaultfd-fix-a-race-between-writeprotect-and-exit_mmap +++ a/fs/userfaultfd.c @@ -1827,9 +1827,15 @@ static int userfaultfd_writeprotect(stru if (mode_wp && mode_dontwake) return -EINVAL;
- ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, - uffdio_wp.range.len, mode_wp, - &ctx->mmap_changing); + if (mmget_not_zero(ctx->mm)) { + ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, + uffdio_wp.range.len, mode_wp, + &ctx->mmap_changing); + mmput(ctx->mm); + } else { + return -ESRCH; + } + if (ret) return ret;
_
Patches currently in -mm which might be from namit@vmware.com are
linux-stable-mirror@lists.linaro.org
