mm/vma: Fix null pointer dereference in vms_abort_munmap_vmas()

Commit Message

Liam R. Howlett Aug. 27, 2024, 5:15 p.m. UTC

From: "Liam R. Howlett" <Liam.Howlett@Oracle.com>

Don't pass a NULL vma to the vma_iter_store(), instead set up the maple
state for the store and do it manually.  vma_iter_clear() cannot be used
as it needs preallocations.

Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 mm/vma.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Patch

diff --git a/mm/vma.h b/mm/vma.h
index f710812482a1..5f525d723390 100644

Andrew,

Please squash this into Commit 131e4ef350fa ("mm: change failure of
MAP_FIXED to restoring the gap on failure")

--- a/mm/vma.h
+++ b/mm/vma.h
@@ -173,6 +173,7 @@  static inline void reattach_vmas(struct ma_state *mas_detach)
 static inline void vms_abort_munmap_vmas(struct vma_munmap_struct *vms,
 		struct ma_state *mas_detach)
 {
+	struct ma_state *mas = &vms->vmi->mas;
 	if (!vms->nr_pages)
 		return;
 
@@ -184,13 +185,14 @@  static inline void vms_abort_munmap_vmas(struct vma_munmap_struct *vms,
 	 * not symmetrical and state data has been lost.  Resort to the old
 	 * failure method of leaving a gap where the MAP_FIXED mapping failed.
 	 */
-	if (unlikely(vma_iter_store_gfp(vms->vmi, NULL, GFP_KERNEL))) {
+	mas_set_range(mas, vms->start, vms->end);
+	if (unlikely(mas_store_gfp(mas, NULL, GFP_KERNEL))) {
 		pr_warn_once("%s: (%d) Unable to abort munmap() operation\n",
 			     current->comm, current->pid);
 		/* Leaving vmas detached and in-tree may hamper recovery */
 		reattach_vmas(mas_detach);
 	} else {
-		/* Clean up the insertion of unfortunate the gap */
+		/* Clean up the insertion of the unfortunate gap */
 		vms_complete_munmap_vmas(vms, mas_detach);
 	}
 }