mm/mprotect: fix do_mprotect_pkey() limit check

howlett · akpm00 · commit 77795f900e2a · 2023-06-19T13:19:31.000-07:00
The return of do_mprotect_pkey() can still be incorrectly returned as success if there is a gap that spans to or beyond the end address passed in. Update the check to ensure that the end address has indeed been seen. Link: https://lore.kernel.org/all/CABi2SkXjN+5iFoBhxk71t3cmunTk-s=rB4T7qo0UQRh17s49PQ@mail.gmail.com/ Link: https://lkml.kernel.org/r/20230606182912.586576-1-Liam.Howlett@oracle.com Fixes: 82f9513 ("mm/mprotect: fix do_mprotect_pkey() return on error") Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com> Reported-by: Jeff Xu <jeffxu@chromium.org> Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Vlastimil Babka <vbabka@suse.cz> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
diff --git a/mm/mprotect.c b/mm/mprotect.c
@@ -867,7 +867,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
 	}
 	tlb_finish_mmu(&tlb);
 
-	if (!error && vma_iter_end(&vmi) < end)
+	if (!error && tmp < end)
 		error = -ENOMEM;
 
 out:

Original file line number	Diff line number	Diff line change
`@@ -867,7 +867,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len,`
`867`	`867`	`}`
`868`	`868`	`tlb_finish_mmu(&tlb);`
`869`	`869`
`870`		`- if (!error && vma_iter_end(&vmi) < end)`
	`870`	`+ if (!error && tmp < end)`
`871`	`871`	`error = -ENOMEM;`
`872`	`872`
`873`	`873`	`out:`