From 2554cb4775bd0b0717ae90d058cb6a7b20ca34ef Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Mon, 9 Jan 2023 12:53:16 -0800
Subject: [PATCH] FROMLIST: mm/mmap: write-lock VMAs affected by VMA expansion

vma_expand changes VMA boundaries and might result in freeing an adjacent
VMA. Write-lock affected VMAs to prevent concurrent page faults.

Signed-off-by: Suren Baghdasaryan <surenb@google.com>

Link: https://lore.kernel.org/all/20230109205336.3665937-22-surenb@google.com/
[surenb: using older v1 of patchset due to __vma_adjust() being removed
in 6.2-rc4]
[surenb: lock next earlier when removing it like we do in v3:
https://lore.kernel.org/all/20230216051750.3125598-18-surenb@google.com/]

Bug: 161210518
Change-Id: I31aff80996b4ad646bdd6861ff6479c8eb2a690a
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
---
 mm/mmap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mm/mmap.c b/mm/mmap.c
index 704b655a55be..7e5f3167abec 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -528,6 +528,8 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma,
 
 	if (next && (vma != next) && (end == next->vm_end)) {
 		remove_next = true;
+		/* Lock the VMA  before removing it */
+		vma_start_write(next);
 		if (next->anon_vma && !vma->anon_vma) {
 			int error;
 
@@ -548,6 +550,7 @@ inline int vma_expand(struct ma_state *mas, struct vm_area_struct *vma,
 	if (mas_preallocate(mas, vma, GFP_KERNEL))
 		goto nomem;
 
+	vma_start_write(vma);
 	vma_adjust_trans_huge(vma, start, end, 0);
 
 	if (file) {