git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Fuad Tabba <tabba@google.com>
	Fri, 6 Mar 2026 14:02:23 +0000 (14:02 +0000)
committer	Marc Zyngier <maz@kernel.org>
	Sat, 28 Mar 2026 11:29:40 +0000 (11:29 +0000)
commit	f5a5bb8de11863bd92f4188b7e823e3fca4d68e6
tree	716262f04a8af0323f318939790bfe25cdc813b2	tree \| snapshot
parent	bae99813c6a9ce474cbb7b6553dc6e379b2f4375	commit \| diff

KVM: arm64: Isolate mmap_read_lock inside new kvm_s2_fault_get_vma_info() helper

Extract the VMA lookup and metadata snapshotting logic from
kvm_s2_fault_pin_pfn() into a tightly-scoped sub-helper.

This refactoring structurally fixes a TOCTOU (Time-Of-Check to
Time-Of-Use) vulnerability and Use-After-Free risk involving the vma
pointer. In the previous layout, the mmap_read_lock is taken, the vma is
looked up, and then the lock is dropped before the function continues to
map the PFN. While an explicit vma = NULL safeguard was present, the vma
variable was still lexically in scope for the remainder of the function.

By isolating the locked region into kvm_s2_fault_get_vma_info(), the vma
pointer becomes a local variable strictly confined to that sub-helper.
Because the pointer's scope literally ends when the sub-helper returns,
it is not possible for the subsequent page fault logic in
kvm_s2_fault_pin_pfn() to accidentally access the vanished VMA,
eliminating this bug class by design.

Signed-off-by: Fuad Tabba <tabba@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>