+ userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch added to -mm tree

[akpm@xxxxxxxxxxxxxxxxxxxx]

The patch titled
     Subject: userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
has been added to the -mm tree.  Its filename is
     userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Mike Rapoport <rppt@xxxxxxxxxxxxxxxxxx>
Subject: userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails

The fix in 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx
if UFFD_EVENT_FORK fails") cleared the vma->vm_userfaultfd_ctx but kept
userfaultfd flags in vma->vm_flags that were copied from the parent
process VMA.

As the result, there is an inconsistency between the values of
vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON in
userfaultfd_release().

Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK
failure resolves the issue.

Link: http://lkml.kernel.org/r/1532931975-25473-1-git-send-email-rppt@xxxxxxxxxxxxxxxxxx
Fixes: 0cbb4b4f4c44 ("userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails")
Signed-off-by: Mike Rapoport <rppt@xxxxxxxxxxxxxxxxxx>
Reported-by: syzbot+121be635a7a35ddb7dcb@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Cc: Eric Biggers <ebiggers3@xxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---


diff -puN fs/userfaultfd.c~userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails fs/userfaultfd.c
--- a/fs/userfaultfd.c~userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails
+++ a/fs/userfaultfd.c
@@ -633,8 +633,10 @@ static void userfaultfd_event_wait_compl
 		/* the various vma->vm_userfaultfd_ctx still points to it */
 		down_write(&mm->mmap_sem);
 		for (vma = mm->mmap; vma; vma = vma->vm_next)
-			if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
+			if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
 				vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
+				vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING);
+			}
 		up_write(&mm->mmap_sem);
 
 		userfaultfd_ctx_put(release_new_ctx);
_

Patches currently in -mm which might be from rppt@xxxxxxxxxxxxxxxxxx are

userfaultfd-remove-uffd-flags-from-vma-vm_flags-if-uffd_event_fork-fails.patch
mm-make-deferred_struct_page_init-explicitly-depend-on-sparsemem.patch
mm-memblock-replace-u64-with-phys_addr_t-where-appropriate.patch
mm-mempool-add-missing-parameter-description.patch
mm-util-make-strndup_user-description-a-kernel-doc-comment.patch
mm-util-add-kernel-doc-for-kvfree.patch
docs-core-api-kill-trailing-whitespace-in-kernel-apirst.patch
docs-core-api-move-strmemdup-to-string-manipulation.patch
docs-core-api-split-memory-management-api-to-a-separate-file.patch
docs-mm-make-gfp-flags-descriptions-usable-as-kernel-doc.patch
docs-core-api-mm-api-add-section-about-gfp-flags.patch