On Tue, Jan 14, 2025 at 06:22:14PM +0000, Matthew Wilcox wrote: > On Tue, Jan 14, 2025 at 06:19:32PM +0000, Lorenzo Stoakes wrote: > > I see shmem_zero_page() does change vma->vm_page, this is broken... ugh. I > > I think you mean shmem_zero_setup() and vma->vm_file, right? Yes, correct. Sorry it's late here and it's showing haha! The reason I am concerned about this is because we thread mmap state through the operation which has a separate file pointer which this makes into a potential UAF. Will audit all this and for any other problematic .mmap() callback behaviour. My view is ideally this should be a callback with a const pointer to the VMA (or some other mechanism, perhaps) which accepts a change in _permitted_ fields only. The 'anything could happen and anybody could manipulate any field of the VMA' in this callback is highly problematic. But we definitely shouldn't be adding a _new_ case here.
