userfaultfd: fix a race between writeprotect and exit_mmap()

jira VULN-4370
cve CVE-2021-47461
commit-author Nadav Amit <[email protected]>
commit cb185d5

A race is possible when a process exits, its VMAs are removed by
exit_mmap() and at the same time userfaultfd_writeprotect() is called.

The race was detected by KASAN on a development kernel, but it appears
to be possible on vanilla kernels as well.

Use mmget_not_zero() to prevent the race as done in other userfaultfd
operations.

Link: https://lkml.kernel.org/r/[email protected]
Fixes: 63b2d41 ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl")
	Signed-off-by: Nadav Amit <[email protected]>
	Tested-by: Li  Wang <[email protected]>
	Reviewed-by: Peter Xu <[email protected]>
	Cc: Andrea Arcangeli <[email protected]>
	Cc: <[email protected]>
	Signed-off-by: Andrew Morton <[email protected]>
	Signed-off-by: Linus Torvalds <[email protected]>
(cherry picked from commit cb185d5)
	Signed-off-by: Greg Rose <[email protected]>

Author: gvrose8192

fs/userfaultfd.c

@@ -1801,9 +1801,15 @@ static int userfaultfd_writeprotect(struct userfaultfd_ctx *ctx,
 	if (mode_wp && mode_dontwake)
 		return -EINVAL;
 
-	ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start,
-				  uffdio_wp.range.len, mode_wp,
-				  &ctx->mmap_changing);
+	if (mmget_not_zero(ctx->mm)) {
+		ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start,
+					  uffdio_wp.range.len, mode_wp,
+					  &ctx->mmap_changing);
+		mmput(ctx->mm);
+	} else {
+		return -ESRCH;
+	}
+
 	if (ret)
 		return ret;