tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

mm: fix vma_start_write_killable() signal handling

If we get a signal, we need to restore the vm_refcnt. We don't think that
the refcount can actually be decremented to zero here as it requires the
VMA to be detached, and the vma_mark_detached() uses TASK_UNINTERRUPTIBLE.
However, that's a bit subtle, so handle it as if the refcount was zero at
the start of this function.

Link: https://lkml.kernel.org/r/20251128040100.3022561-1-willy@infradead.org
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>

Reported-by: syzbot+5b19bad23ac7f44bf8b8@syzkaller.appspotmail.com
Fixes: 2197bb60f890 ("mm: add vma_start_write_killable()")
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

Matthew Wilcox (Oracle) and committed by
Andrew Morton faf3c923 b60a3ef7

+8
+8
mm/mmap_lock.c
··· 74 74 refcount_read(&vma->vm_refcnt) == tgt_refcnt, 75 75 state); 76 76 if (err) { 77 + if (refcount_sub_and_test(VMA_LOCK_OFFSET, &vma->vm_refcnt)) { 78 + /* 79 + * The wait failed, but the last reader went away 80 + * as well. Tell the caller the VMA is detached. 81 + */ 82 + WARN_ON_ONCE(!detaching); 83 + err = 0; 84 + } 77 85 rwsem_release(&vma->vmlock_dep_map, _RET_IP_); 78 86 return err; 79 87 }