After invoking vma_modify_flags_uffd() in userfaultfd_clear_vma(), we may
have merged the vma, and depending on the kind of merge, deleted the vma,
rendering the vma pointer invalid.
The code incorrectly referenced this now possibly invalid vma pointer when
invoking userfaultfd_reset_ctx().
If no merge is possible, vma_modify_flags_uffd() performs a split and
returns the original vma. Therefore the correct approach is to simply pass
the ret pointer to userfaultfd_ret_ctx().
Reported-by: Pengfei Xu <pengfei.xu@xxxxxxxxx>
Fixes: e310f2b78a77 ("userfaultfd: move core VMA manipulation logic to mm/userfaultfd.c")
Closes: https://lore.kernel.org/all/ZrLt9HIxV9QiZotn@xxxxxxxxxxxxxxxx/
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx>
---
mm/userfaultfd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 3b7715ecf292..966e6c81a685 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -1813,7 +1813,7 @@ struct vm_area_struct *userfaultfd_clear_vma(struct vma_iterator *vmi,
* the current one has not been updated yet.
*/
if (!IS_ERR(ret))
- userfaultfd_reset_ctx(vma);
+ userfaultfd_reset_ctx(ret);
return ret;
}
--
2.45.2
