ANDROID: 16K: Fixup padding vm_flags bits on VMA splits

In some cases VMAs are split without the mmap write lock held;
later the lock is taken to fixup vm_flags of the original VMA.
Since some uppper bits of vm_flags are used to encode the ELF
padding ranges, they need to be modified on splits. This is
usually handled correctly by __split_vma(). However in the above
case, the flags get over witten later under the write lock.

Preserve vm_flag bits on reset to correctly represent padding.

Bug: 357901498
Change-Id: I1cb75419e614791a47cbdb0341373f619daf0bf2
Signed-off-by: Kalesh Singh <[email protected]>

Author: Kalesh Singh

fs/userfaultfd.c

@@ -29,6 +29,7 @@
 #include <linux/ioctl.h>
 #include <linux/security.h>
 #include <linux/hugetlb.h>
+#include <linux/pgsize_migration.h>
 
 int sysctl_unprivileged_userfaultfd __read_mostly;
 
@@ -1510,7 +1511,7 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx,
 		 * the next vma was merged into the current one and
 		 * the current one has not been updated yet.
 		 */
-		vma->vm_flags = new_flags;
+		vma->vm_flags = vma_pad_fixup_flags(vma, new_flags);
 		rcu_assign_pointer(vma->vm_userfaultfd_ctx.ctx, ctx);
 
 		if (is_vm_hugetlb_page(vma) && uffd_disable_huge_pmd_share(vma))
@@ -1690,7 +1691,7 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
 		 * the next vma was merged into the current one and
 		 * the current one has not been updated yet.
 		 */
-		vma->vm_flags = new_flags;
+		vma->vm_flags = vma_pad_fixup_flags(vma, new_flags);
 		rcu_assign_pointer(vma->vm_userfaultfd_ctx.ctx, NULL);
 
 	skip:

mm/madvise.c

@@ -182,7 +182,7 @@ static int madvise_update_vma(struct vm_area_struct *vma,
 	/*
 	 * vm_flags is protected by the mmap_lock held in write mode.
 	 */
-	vma->vm_flags = new_flags;
+	vma->vm_flags = vma_pad_fixup_flags(vma, new_flags);
 	if (!vma->vm_file) {
 		error = replace_anon_vma_name(vma, anon_name);
 		if (error)