userfaultfd: shmem: add i_size checks (4ce33762) · Commits · e / devices / android_kernel_oneplus_sm7250

mm/shmem.c

+16 −2

Original line number	Diff line number	Diff line
		@@ -2264,6 +2264,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
		struct page *page;
		pte_t _dst_pte, *dst_pte;
		int ret;
		pgoff_t offset, max_off;

		ret = -ENOMEM;
		if (!shmem_inode_acct_block(inode, 1))
		@@ -2301,6 +2302,12 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
		__SetPageSwapBacked(page);
		__SetPageUptodate(page);

		ret = -EFAULT;
		offset = linear_page_index(dst_vma, dst_addr);
		max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
		if (unlikely(offset >= max_off))
		goto out_release;

		ret = mem_cgroup_try_charge_delay(page, dst_mm, gfp, &memcg, false);
		if (ret)
		goto out_release;
		@@ -2319,8 +2326,14 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
		if (dst_vma->vm_flags & VM_WRITE)
		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));

		ret = -EEXIST;
		dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);

		ret = -EFAULT;
		max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
		if (unlikely(offset >= max_off))
		goto out_release_uncharge_unlock;

		ret = -EEXIST;
		if (!pte_none(*dst_pte))
		goto out_release_uncharge_unlock;

		@@ -2338,13 +2351,14 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,

		/* No need to invalidate - it was non-present before */
		update_mmu_cache(dst_vma, dst_addr, dst_pte);
		unlock_page(page);
		pte_unmap_unlock(dst_pte, ptl);
		unlock_page(page);
		ret = 0;
		out:
		return ret;
		out_release_uncharge_unlock:
		pte_unmap_unlock(dst_pte, ptl);
		delete_from_page_cache(page);
		out_release_uncharge:
		mem_cgroup_cancel_charge(page, memcg, false);
		out_release:

mm/userfaultfd.c

+24 −2

Original line number	Diff line number	Diff line
		@@ -33,6 +33,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
		void *page_kaddr;
		int ret;
		struct page *page;
		pgoff_t offset, max_off;
		struct inode *inode;

		if (!*pagep) {
		ret = -ENOMEM;
		@@ -73,8 +75,17 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm,
		if (dst_vma->vm_flags & VM_WRITE)
		_dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte));

		ret = -EEXIST;
		dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
		if (dst_vma->vm_file) {
		/* the shmem MAP_PRIVATE case requires checking the i_size */
		inode = dst_vma->vm_file->f_inode;
		offset = linear_page_index(dst_vma, dst_addr);
		max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
		ret = -EFAULT;
		if (unlikely(offset >= max_off))
		goto out_release_uncharge_unlock;
		}
		ret = -EEXIST;
		if (!pte_none(*dst_pte))
		goto out_release_uncharge_unlock;

		@@ -108,11 +119,22 @@ static int mfill_zeropage_pte(struct mm_struct *dst_mm,
		pte_t _dst_pte, *dst_pte;
		spinlock_t *ptl;
		int ret;
		pgoff_t offset, max_off;
		struct inode *inode;

		_dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr),
		dst_vma->vm_page_prot));
		ret = -EEXIST;
		dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl);
		if (dst_vma->vm_file) {
		/* the shmem MAP_PRIVATE case requires checking the i_size */
		inode = dst_vma->vm_file->f_inode;
		offset = linear_page_index(dst_vma, dst_addr);
		max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE);
		ret = -EFAULT;
		if (unlikely(offset >= max_off))
		goto out_unlock;
		}
		ret = -EEXIST;
		if (!pte_none(*dst_pte))
		goto out_unlock;
		set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte);