From 0560f5f7b3a8f3ecf598e477a3d9d8cac5a5c75d Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Fri, 18 Nov 2022 15:20:34 -0800
Subject: [PATCH] ANDROID: mm: prevent speculative page fault handling for
 userfaults

handle_userfault() should be protected against a concurrent
userfaultfd_release(), therefore handling a userfaults speculatively
without mmap_lock protection should be disallowed.

Bug: 257443051
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ic6ae39329c73e8849048ea15b5351a49346404d3
---
 mm/memory.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/memory.c b/mm/memory.c
index 639b9b09e36e..62fba9f3fd67 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3387,6 +3387,8 @@ static vm_fault_t do_wp_page(struct vm_fault *vmf)
 
 	if (userfaultfd_pte_wp(vma, *vmf->pte)) {
 		pte_unmap_unlock(vmf->pte, vmf->ptl);
+		if (vmf->flags & FAULT_FLAG_SPECULATIVE)
+			return VM_FAULT_RETRY;
 		return handle_userfault(vmf, VM_UFFD_WP);
 	}
 
@@ -5010,7 +5012,7 @@ static vm_fault_t ___handle_speculative_fault(struct mm_struct *mm,
 	vmf.vma_page_prot = READ_ONCE(vmf.vma->vm_page_prot);
 
 	/* Can't call userland page fault handler in the speculative path */
-	if (unlikely(vmf.vma_flags & VM_UFFD_MISSING)) {
+	if (unlikely(vmf.vma_flags & __VM_UFFD_FLAGS)) {
 		trace_spf_vma_notsup(_RET_IP_, vmf.vma, address);
 		return VM_FAULT_RETRY;
 	}