Commit 02edb538 authored Nov 21, 2024 by Liam R. Howlett Committed by Liu Shixin Nov 21, 2024

remap_file_pages: Use vma_lookup() instead of find_vma()

mainline inclusion
from mainline-v5.15-rc1
commit 9b593cb2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQSE
CVE: CVE-2024-47745

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b593cb20283e68e5e65b09ca10038935297f05b

--------------------------------

Using vma_lookup() verifies the start address is contained in the found vma.
This results in easier to read code.

Link: https://lkml.kernel.org/r/20210817135234.1550204-1-Liam.Howlett@oracle.com


Signed-off-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>

parent baa4e700

mm/mmap.c

+1 −4

Original line number	Diff line number	Diff line
		@@ -3103,14 +3103,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
		if (mmap_write_lock_killable(mm))
		return -EINTR;

		vma = find_vma(mm, start);
		vma = vma_lookup(mm, start);

		if (!vma \|\| !(vma->vm_flags & VM_SHARED))
		goto out;

		if (start < vma->vm_start)
		goto out;

		if (start + size > vma->vm_end) {
		struct vm_area_struct *next;