From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA168208BD for ; Mon, 6 Nov 2023 13:18:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="NA2WOkWq" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 687ABC433C7; Mon, 6 Nov 2023 13:18:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1699276695; bh=nm3CqJEaP1s2wufYoKlx7pqxfmwQW4cCFJtTCvzhUe0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NA2WOkWqD0+5W1a4Fr3FsOJCrJLY8TrYXoCdeaZ4H5imMVtQ+yxpqTqyrsHN0B4MH szVtGpy/y57yUp1+9YMOxDKyVFcw897pe2A8MGPycHVSVP8CuTDywlQIXo7cy8EPnL /k/S7j3sZyzYYbt+JIghutYhpXRsiRMv5SaGqaGs= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, "Liam R. Howlett" , Jann Horn , Lorenzo Stoakes , Vlastimil Babka , "Matthew Wilcox (Oracle)" , Suren Baghdasaryan , Andrew Morton Subject: [PATCH 6.5 65/88] mmap: fix vma_iterator in error path of vma_merge() Date: Mon, 6 Nov 2023 14:03:59 +0100 Message-ID: <20231106130308.159944719@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231106130305.772449722@linuxfoundation.org> References: <20231106130305.772449722@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Liam R. Howlett commit 1419430c8abb5a00590169068590dd54d86590ba upstream. During the error path, the vma iterator may not be correctly positioned or set to the correct range. Undo the vma_prev() call by resetting to the passed in address. Re-walking to the same range will fix the range to the area previously passed in. Users would notice increased cycles as vma_merge() would be called an extra time with vma == prev, and thus would fail to merge and return. Link: https://lore.kernel.org/linux-mm/CAG48ez12VN1JAOtTNMY+Y2YnsU45yL5giS-Qn=ejtiHpgJAbdQ@mail.gmail.com/ Link: https://lkml.kernel.org/r/20230929183041.2835469-2-Liam.Howlett@oracle.com Fixes: 18b098af2890 ("vma_merge: set vma iterator to correct position.") Signed-off-by: Liam R. Howlett Reported-by: Jann Horn Closes: https://lore.kernel.org/linux-mm/CAG48ez12VN1JAOtTNMY+Y2YnsU45yL5giS-Qn=ejtiHpgJAbdQ@mail.gmail.com/ Reviewed-by: Lorenzo Stoakes Acked-by: Vlastimil Babka Cc: Matthew Wilcox (Oracle) Cc: Suren Baghdasaryan Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- mm/mmap.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) --- a/mm/mmap.c +++ b/mm/mmap.c @@ -988,10 +988,10 @@ struct vm_area_struct *vma_merge(struct /* Error in anon_vma clone. */ if (err) - return NULL; + goto anon_vma_fail; if (vma_iter_prealloc(vmi)) - return NULL; + goto prealloc_fail; init_multi_vma_prep(&vp, vma, adjust, remove, remove2); VM_WARN_ON(vp.anon_vma && adjust && adjust->anon_vma && @@ -1024,6 +1024,12 @@ struct vm_area_struct *vma_merge(struct khugepaged_enter_vma(res, vm_flags); return res; + +prealloc_fail: +anon_vma_fail: + vma_iter_set(vmi, addr); + vma_iter_load(vmi); + return NULL; } /*