On 6/6/23 20:29, Liam R. Howlett wrote: > The return of do_mprotect_pkey() can still be incorrectly returned as > success if there is a gap that spans to or beyond the end address passed > in. Update the check to ensure that the end address has indeed been > seen. > > Link: https://lore.kernel.org/all/CABi2SkXjN+5iFoBhxk71t3cmunTk-s=rB4T7qo0UQRh17s49PQ@xxxxxxxxxxxxxx/ > Fixes: 82f951340f25 ("mm/mprotect: fix do_mprotect_pkey() return on error") > Reported-by: Jeff Xu <jeffxu@xxxxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx> Acked-by: Vlastimil Babka <vbabka@xxxxxxx> > --- > mm/mprotect.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/mm/mprotect.c b/mm/mprotect.c > index 92d3d3ca390a..c59e7561698c 100644 > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -867,7 +867,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len, > } > tlb_finish_mmu(&tlb); > > - if (!error && vma_iter_end(&vmi) < end) > + if (!error && tmp < end) > error = -ENOMEM; > > out:
