diff options
| author |   Jann Horn <jannh@google.com> | 2024-08-05 14:52:03 +0200 |
|---|---|---|
| committer |   Andrew Morton <akpm@linux-foundation.org> | 2024-09-01 20:26:03 -0700 |
| commit | 17fe833b0de08a78bfb51388e0615969d73ea8ad (patch) | |
| tree | 1c5a44808d7a77dc19308a2747002be761fdc84f /mm/filemap.c | |
| parent | zswap: track swapins from disk more accurately (diff) | |
| download | linux-rng-17fe833b0de08a78bfb51388e0615969d73ea8ad.tar.xz linux-rng-17fe833b0de08a78bfb51388e0615969d73ea8ad.zip | |
mm: fix (harmless) type confusion in lock_vma_under_rcu()
There is a (harmless) type confusion in lock_vma_under_rcu(): After
vma_start_read(), we have taken the VMA lock but don't know yet whether
the VMA has already been detached and scheduled for RCU freeing. At this
point, ->vm_start and ->vm_end are accessed.
vm_area_struct contains a union such that ->vm_rcu uses the same memory as
->vm_start and ->vm_end; so accessing ->vm_start and ->vm_end of a
detached VMA is illegal and leads to type confusion between union members.
Fix it by reordering the vma->detached check above the address checks, and
document the rules for RCU readers accessing VMAs.
This will probably change the number of observed VMA_LOCK_MISS events
(since previously, trying to access a detached VMA whose ->vm_rcu has been
scheduled would bail out when checking the fault address against the
rcu_head members reinterpreted as VMA bounds).
Link: https://lkml.kernel.org/r/20240805-fix-vma-lock-type-confusion-v1-1-9f25443a9a71@google.com
Fixes: 50ee32537206 ("mm: introduce lock_vma_under_rcu to be used from arch-specific code")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Suren Baghdasaryan <surenb@google.com>
Cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Diffstat (limited to 'mm/filemap.c')
0 files changed, 0 insertions, 0 deletions