mm, uprobes: fix multiple free of ->uprobes_state.xol_area

[karo-tx-linux.git] / kernel / events / uprobes.c

diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index d416f3baf3924d8093cf275fb1d290bf9d3564e4..267f6ef91d9709e2f53c35e053a792d3fcede64d 100644 (file)
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -27,6 +27,8 @@
 #include <linux/pagemap.h>     /* read_mapping_page */
 #include <linux/slab.h>
 #include <linux/sched.h>
+#include <linux/sched/mm.h>
+#include <linux/sched/coredump.h>
 #include <linux/export.h>
 #include <linux/rmap.h>                /* anon_vma_prepare */
 #include <linux/mmu_notifier.h>        /* set_pte_at_notify */
@@ -153,14 +155,19 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr,
                                struct page *old_page, struct page *new_page)
 {
        struct mm_struct *mm = vma->vm_mm;
-       spinlock_t *ptl;
-       pte_t *ptep;
+       struct page_vma_mapped_walk pvmw = {
+               .page = old_page,
+               .vma = vma,
+               .address = addr,
+       };
        int err;
        /* For mmu_notifiers */
        const unsigned long mmun_start = addr;
        const unsigned long mmun_end   = addr + PAGE_SIZE;
        struct mem_cgroup *memcg;
 
+       VM_BUG_ON_PAGE(PageTransHuge(old_page), old_page);
+
        err = mem_cgroup_try_charge(new_page, vma->vm_mm, GFP_KERNEL, &memcg,
                        false);
        if (err)
@@ -171,11 +178,11 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr,
 
        mmu_notifier_invalidate_range_start(mm, mmun_start, mmun_end);
        err = -EAGAIN;
-       ptep = page_check_address(old_page, mm, addr, &ptl, 0);
-       if (!ptep) {
+       if (!page_vma_mapped_walk(&pvmw)) {
                mem_cgroup_cancel_charge(new_page, memcg, false);
                goto unlock;
        }
+       VM_BUG_ON_PAGE(addr != pvmw.address, old_page);
 
        get_page(new_page);
        page_add_new_anon_rmap(new_page, vma, addr, false);
@@ -187,14 +194,15 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr,
                inc_mm_counter(mm, MM_ANONPAGES);
        }
 
-       flush_cache_page(vma, addr, pte_pfn(*ptep));
-       ptep_clear_flush_notify(vma, addr, ptep);
-       set_pte_at_notify(mm, addr, ptep, mk_pte(new_page, vma->vm_page_prot));
+       flush_cache_page(vma, addr, pte_pfn(*pvmw.pte));
+       ptep_clear_flush_notify(vma, addr, pvmw.pte);
+       set_pte_at_notify(mm, addr, pvmw.pte,
+                       mk_pte(new_page, vma->vm_page_prot));
 
        page_remove_rmap(old_page, false);
        if (!page_mapped(old_page))
                try_to_free_swap(old_page);
-       pte_unmap_unlock(ptep, ptl);
+       page_vma_mapped_walk_done(&pvmw);
 
        if (vma->vm_flags & VM_LOCKED)
                munlock_vma_page(old_page);
@@ -300,8 +308,8 @@ int uprobe_write_opcode(struct mm_struct *mm, unsigned long vaddr,
 
 retry:
        /* Read the page with vaddr into memory */
-       ret = get_user_pages_remote(NULL, mm, vaddr, 1, FOLL_FORCE, &old_page,
-                       &vma, NULL);
+       ret = get_user_pages_remote(NULL, mm, vaddr, 1,
+                       FOLL_FORCE | FOLL_SPLIT, &old_page, &vma, NULL);
        if (ret <= 0)
                return ret;
 
@@ -741,7 +749,7 @@ build_map_info(struct address_space *mapping, loff_t offset, bool is_register)
                        continue;
                }
 
-               if (!atomic_inc_not_zero(&vma->vm_mm->mm_users))
+               if (!mmget_not_zero(vma->vm_mm))
                        continue;
 
                info = prev;
@@ -1254,8 +1262,6 @@ void uprobe_end_dup_mmap(void)
 
 void uprobe_dup_mmap(struct mm_struct *oldmm, struct mm_struct *newmm)
 {
-       newmm->uprobes_state.xol_area = NULL;
-
        if (test_bit(MMF_HAS_UPROBES, &oldmm->flags)) {
                set_bit(MMF_HAS_UPROBES, &newmm->flags);
                /* unconditionally, dup_mmap() skips VM_DONTCOPY vmas */