mm/mseal: update VMA end correctly on merge

Lorenzo Stoakes (Oracle) · akpm00 · commit 2697dd8ae721 · 2026-03-27T20:48:38.000-07:00
Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA. However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_modify_flags(), which can result in curr_end being stale and thus, upon setting curr_start to curr_end, ending up with an incorrect curr_start on the next iteration. Resolve the issue by setting curr_end to vma->vm_end unconditionally to ensure this value remains updated should this occur. While we're here, eliminate this entire class of bug by simply setting const curr_[start/end] to be clamped to the input range and VMAs, which also happens to simplify the logic. Link: https://lkml.kernel.org/r/20260327173104.322405-1-ljs@kernel.org Fixes: 6c2da14 ("mm/mseal: rework mseal apply logic") Signed-off-by: Lorenzo Stoakes (Oracle) <ljs@kernel.org> Reported-by: Antonius <antonius@bluedragonsec.com> Closes: https://lore.kernel.org/linux-mm/CAK8a0jwWGj9-SgFk0yKFh7i8jMkwKm5b0ao9=kmXWjO54veX2g@mail.gmail.com/ Suggested-by: David Hildenbrand (ARM) <david@kernel.org> Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Reviewed-by: Pedro Falcato <pfalcato@suse.de> Acked-by: David Hildenbrand (Arm) <david@kernel.org> Cc: Jann Horn <jannh@google.com> Cc: Jeff Xu <jeffxu@chromium.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
diff --git a/mm/mseal.c b/mm/mseal.c
@@ -56,7 +56,6 @@ static int mseal_apply(struct mm_struct *mm,
 		unsigned long start, unsigned long end)
 {
 	struct vm_area_struct *vma, *prev;
-	unsigned long curr_start = start;
 	VMA_ITERATOR(vmi, mm, start);
 
 	/* We know there are no gaps so this will be non-NULL. */
@@ -66,6 +65,7 @@ static int mseal_apply(struct mm_struct *mm,
 		prev = vma;
 
 	for_each_vma_range(vmi, vma, end) {
+		const unsigned long curr_start = MAX(vma->vm_start, start);
 		const unsigned long curr_end = MIN(vma->vm_end, end);
 
 		if (!(vma->vm_flags & VM_SEALED)) {
@@ -79,7 +79,6 @@ static int mseal_apply(struct mm_struct *mm,
 		}
 
 		prev = vma;
-		curr_start = curr_end;
 	}
 
 	return 0;

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,6 @@ static int mseal_apply(struct mm_struct *mm,`
`56`	`56`	`unsigned long start, unsigned long end)`
`57`	`57`	`{`
`58`	`58`	`struct vm_area_struct vma, prev;`
`59`		`- unsigned long curr_start = start;`
`60`	`59`	`VMA_ITERATOR(vmi, mm, start);`
`61`	`60`
`62`	`61`	`/* We know there are no gaps so this will be non-NULL. */`
`@@ -66,6 +65,7 @@ static int mseal_apply(struct mm_struct *mm,`
`66`	`65`	`prev = vma;`
`67`	`66`
`68`	`67`	`for_each_vma_range(vmi, vma, end) {`
	`68`	`+ const unsigned long curr_start = MAX(vma->vm_start, start);`
`69`	`69`	`const unsigned long curr_end = MIN(vma->vm_end, end);`
`70`	`70`
`71`	`71`	`if (!(vma->vm_flags & VM_SEALED)) {`
`@@ -79,7 +79,6 @@ static int mseal_apply(struct mm_struct *mm,`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`prev = vma;`
`82`		`- curr_start = curr_end;`
`83`	`82`	`}`
`84`	`83`
`85`	`84`	`return 0;`