[SRU][Bionic][PATCH 2/3] mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()

[Yuxuan Luo]

From: Li Xinhai <lixinhai.lxh at gmail.com>

In case the vma will continue to be used after unlink its relevant
anon_vma, we need to reset the vma->anon_vma pointer to NULL.  So, later
when fault happen within this vma again, a new anon_vma will be prepared.

By this way, the vma will only be checked for reverse mapping of pages
which been fault in after the unlink_anon_vmas call.

Currently, the mremap with MREMAP_DONTUNMAP scenario will continue use the
vma after moved its page table entries to a new vma.  For other scenarios,
the vma itself will be freed after call unlink_anon_vmas.

Link: https://lkml.kernel.org/r/20210119075126.3513154-1-lixinhai.lxh@gmail.com
Signed-off-by: Li Xinhai <lixinhai.lxh at gmail.com>
Cc: Andrea Arcangeli <aarcange at redhat.com>
Cc: Brian Geffon <bgeffon at google.com>
Cc: Kirill A. Shutemov <kirill.shutemov at linux.intel.com>
Cc: Lokesh Gidra <lokeshgidra at google.com>
Cc: Minchan Kim <minchan at kernel.org>
Cc: Vlastimil Babka <vbabka at suse.cz>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(cherry picked from commit ee8ab1903e3d912d8f10bedbf96c3b6a1c8cbede)
CVE-2022-42703
Signed-off-by: Yuxuan Luo <yuxuan.luo at canonical.com>
---
 mm/rmap.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mm/rmap.c b/mm/rmap.c
index 658f267235ed..89b62b6b2008 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -406,8 +406,15 @@ void unlink_anon_vmas(struct vm_area_struct *vma)
 		list_del(&avc->same_vma);
 		anon_vma_chain_free(avc);
 	}
-	if (vma->anon_vma)
+	if (vma->anon_vma) {
 		vma->anon_vma->degree--;
+
+		/*
+		 * vma would still be needed after unlink, and anon_vma will be prepared
+		 * when handle fault.
+		 */
+		vma->anon_vma = NULL;
+	}
 	unlock_anon_vma_root(root);
 
 	/*
-- 
2.34.1