[RAMEN9610-21208]coredump: fix race condition between mmget_not_zero()/get_task_mm...

[GitHub/MotorolaMobilityLLC/kernel-slsi.git] / fs / userfaultfd.c
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c

index 3eda623e4cb4d2a6097717d8da1d4d11f89e711c..0c906986f6f92428a1bcf26e8dd5fea27ba6e90d 100644 (file)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -627,6 +627,8 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
  
                 /* the various vma->vm_userfaultfd_ctx still points to it */
                 down_write(&mm->mmap_sem);
+               /* no task can run (and in turn coredump) yet */
+               VM_WARN_ON(!mmget_still_valid(mm));
                 for (vma = mm->mmap; vma; vma = vma->vm_next)
                         if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
                                 vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
@@ -867,6 +869,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
          * taking the mmap_sem for writing.
          */
         down_write(&mm->mmap_sem);
+       if (!mmget_still_valid(mm))
+               goto skip_mm;
         prev = NULL;
         for (vma = mm->mmap; vma; vma = vma->vm_next) {
                 cond_resched();
@@ -881,7 +885,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
                                  new_flags, vma->anon_vma,
                                  vma->vm_file, vma->vm_pgoff,
                                  vma_policy(vma),
-                                NULL_VM_UFFD_CTX);
+                                NULL_VM_UFFD_CTX,
+                                vma_get_anon_name(vma));
                 if (prev)
                         vma = prev;
                 else
@@ -889,6 +894,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
                 vma->vm_flags = new_flags;
                 vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
         }
+skip_mm:
         up_write(&mm->mmap_sem);
         mmput(mm);
  wakeup:
@@ -1327,6 +1333,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
                 goto out;
  
         down_write(&mm->mmap_sem);
+       if (!mmget_still_valid(mm))
+               goto out_unlock;
         vma = find_vma_prev(mm, start, &prev);
         if (!vma)
                 goto out_unlock;
@@ -1362,6 +1370,19 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
                 ret = -EINVAL;
                 if (!vma_can_userfault(cur))
                         goto out_unlock;
+
+               /*
+                * UFFDIO_COPY will fill file holes even without
+                * PROT_WRITE. This check enforces that if this is a
+                * MAP_SHARED, the process has write permission to the backing
+                * file. If VM_MAYWRITE is set it also enforces that on a
+                * MAP_SHARED vma: there is no F_WRITE_SEAL and no further
+                * F_WRITE_SEAL can be taken until the vma is destroyed.
+                */
+               ret = -EPERM;
+               if (unlikely(!(cur->vm_flags & VM_MAYWRITE)))
+                       goto out_unlock;
+
                 /*
                  * If this vma contains ending address, and huge pages
                  * check alignment.
@@ -1407,6 +1428,7 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
                 BUG_ON(!vma_can_userfault(vma));
                 BUG_ON(vma->vm_userfaultfd_ctx.ctx &&
                        vma->vm_userfaultfd_ctx.ctx != ctx);
+               WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
  
                 /*
                  * Nothing to do: this vma is already registered into this
@@ -1424,7 +1446,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
                 prev = vma_merge(mm, prev, start, vma_end, new_flags,
                                  vma->anon_vma, vma->vm_file, vma->vm_pgoff,
                                  vma_policy(vma),
-                                ((struct vm_userfaultfd_ctx){ ctx }));
+                                ((struct vm_userfaultfd_ctx){ ctx }),
+                                vma_get_anon_name(vma));
                 if (prev) {
                         vma = prev;
                         goto next;
@@ -1500,6 +1523,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
                 goto out;
  
         down_write(&mm->mmap_sem);
+       if (!mmget_still_valid(mm))
+               goto out_unlock;
         vma = find_vma_prev(mm, start, &prev);
         if (!vma)
                 goto out_unlock;
@@ -1561,6 +1586,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
                 if (!vma->vm_userfaultfd_ctx.ctx)
                         goto skip;
  
+               WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+
                 if (vma->vm_start > start)
                         start = vma->vm_start;
                 vma_end = min(end, vma->vm_end);
@@ -1582,7 +1609,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
                 prev = vma_merge(mm, prev, start, vma_end, new_flags,
                                  vma->anon_vma, vma->vm_file, vma->vm_pgoff,
                                  vma_policy(vma),
-                                NULL_VM_UFFD_CTX);
+                                NULL_VM_UFFD_CTX,
+                                vma_get_anon_name(vma));
                 if (prev) {
                         vma = prev;
                         goto next;