ANDROID: mm: prevent speculative page fault handling for userfaults

handle_userfault() should be protected against a concurrent userfaultfd_release(), therefore handling a userfaults speculatively without mmap_lock protection should be disallowed. Bug: 257443051 Signed-off-by: Suren Baghdasaryan <surenb@google.com> Change-Id: Ic6ae39329c73e8849048ea15b5351a49346404d3
2022-11-18 15:20:34 -08:00
parent 1169f70f8f
commit 0560f5f7b3
1 changed files with 3 additions and 1 deletions
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3387,6 +3387,8 @@ static vm_fault_t do_wp_page(struct vm_fault *vmf)

 	if (userfaultfd_pte_wp(vma, *vmf->pte)) {
 		pte_unmap_unlock(vmf->pte, vmf->ptl);
+		if (vmf->flags & FAULT_FLAG_SPECULATIVE)
+			return VM_FAULT_RETRY;
 		return handle_userfault(vmf, VM_UFFD_WP);
 	}

@@ -5010,7 +5012,7 @@ static vm_fault_t ___handle_speculative_fault(struct mm_struct *mm,
 	vmf.vma_page_prot = READ_ONCE(vmf.vma->vm_page_prot);

 	/* Can't call userland page fault handler in the speculative path */
-	if (unlikely(vmf.vma_flags & VM_UFFD_MISSING)) {
+	if (unlikely(vmf.vma_flags & __VM_UFFD_FLAGS)) {
 		trace_spf_vma_notsup(_RET_IP_, vmf.vma, address);
 		return VM_FAULT_RETRY;
 	}