On Thu, Dec 06, 2018 at 04:20:28PM -0500, Andrea Arcangeli wrote:
> Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
> could trigger an harmless false positive WARN_ON. Check the vma is
> already registered before checking VM_MAYWRITE to shut off the
> false positive warning.
>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Fixes: 29ec90660d68 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
> Reported-by: syzbot+06c7092e7d71218a2c16@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Andrea Arcangeli <aarcange@xxxxxxxxxx>
> ---
> fs/userfaultfd.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index cd58939dc977..7a85e609fc27 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1566,7 +1566,6 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
> cond_resched();
>
> BUG_ON(!vma_can_userfault(vma));
> - WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
>
> /*
> * Nothing to do: this vma is already registered into this
Maybe we want to fix this comment too some day:
/*
* Nothing to do: this vma is already registered into this
* userfaultfd and with the right tracking mode too.
*/
But I don't think it's anything urgent since it's clear it means the
other way round and it can potentially be touched up in any further
cleanup/fixes of uffd.
Acked-by: Peter Xu <peterx@xxxxxxxxxx>
> @@ -1575,6 +1574,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
> if (!vma->vm_userfaultfd_ctx.ctx)
> goto skip;
>
> + WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
> +
> if (vma->vm_start > start)
> start = vma->vm_start;
> vma_end = min(end, vma->vm_end);
Thanks,
--
Peter Xu
