Am Freitag, dem 24.02.2023 um 16:20 -0500 schrieb Liam R. Howlett: > If mprotect_fixup() successfully calls vma_merge() and replaces vma > and > the next vma, then the tmp variable in the do_mprotect_pkey() is not > updated to point to the new vma end. This results in the loop > detecting > a gap between VMAs that does not exist. Fix the faulty value of tmp > by > setting it to the end location of the vma iterator at the end of the > loop. > > Reported-by: Bert Karwatzki <spasswolf@xxxxxx> > Bug: https://bugzilla.kernel.org/show_bug.cgi?id=217061 > Fixes: 2286a6914c77 ("mm: change mprotect_fixup to vma iterator") > Link: > https://lore.kernel.org/linux-mm/20230223120407.729110a6ecd1416ac59d9cb0@xxxxxxxxxxxxxxxxxxxx/ > Signed-off-by: Liam R. Howlett <Liam.Howlett@xxxxxxxxxx> > --- > mm/mprotect.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mm/mprotect.c b/mm/mprotect.c > index 1d4843c97c2a..231929f119d9 100644 > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -832,6 +832,7 @@ static int do_mprotect_pkey(unsigned long start, > size_t len, > if (error) > break; > > + tmp = vma_iter_end(&vmi); > nstart = tmp; > prot = reqprot; > } I tested this in linux-next-20230224 by starting stellaris from steam (which is the only way I managed to trigger the bug) and it fixes the issue for me. Bert Karwatzki
