On 12/5/22 23:13, Vlastimil Babka wrote: > On 12/5/22 22:55, Jann Horn wrote: >> On Mon, Dec 5, 2022 at 9:32 PM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: >>> On Mon, 5 Dec 2022 19:23:17 +0000 Liam Howlett <liam.howlett@xxxxxxxxxx> wrote: >>> > Add more sanity checks to the VMA that do_brk_flags() will expand. >>> > Ensure the VMA matches basic merge requirements within the function >>> > before calling can_vma_merge_after(). >>> >>> I't unclear what's actually being fixed here. >>> >>> Why do you feel we need the above changes? >>> >>> > Drop the duplicate checks from vm_brk_flags() since they will be >>> > enforced later. >>> > >>> > Fixes: 2e7ce7d354f2 ("mm/mmap: change do_brk_flags() to expand existing VMA and add do_brk_munmap()") >>> >>> Fixes in what way? Removing the duplicate checks? >> >> The old code would expand file VMAs on brk(), which is functionally >> wrong and also dangerous in terms of locking because the brk() path >> isn't designed for file VMAs and therefore doesn't lock the file >> mapping. Checking can_vma_merge_after() ensures that new anonymous >> VMAs can't be merged into file VMAs. >> >> See https://lore.kernel.org/linux-mm/CAG48ez1tJZTOjS_FjRZhvtDA-STFmdw8PEizPDwMGFd_ui0Nrw@xxxxxxxxxxxxxx/ And yeah, that URL should have been a Link: in the patch. And the scenario it's fixing described in a bit more detail? > I guess the point is that if we fix it still within 6.1, we don't have to > devise how exactly this is exploitable, but due to the insufficient locking > it most likely is, right?