android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dad1782ca5
android_kernel_asus_sm8350/mm
History
Vijayanand Jitta c6efde4313 mm: vmalloc: prevent use after free in _vm_unmap_aliases 
A potential use after free can occur in _vm_unmap_aliases where an already
freed vmap_area could be accessed, Consider the following scenario:

Process 1						Process 2

__vm_unmap_aliases					__vm_unmap_aliases
	purge_fragmented_blocks_allcpus				rcu_read_lock()
		rcu_read_lock()
			list_del_rcu(&vb->free_list)
									list_for_each_entry_rcu(vb .. )
	__purge_vmap_area_lazy
		kmem_cache_free(va)
										va_start = vb->va->va_start

Here Process 1 is in purge path and it does list_del_rcu on vmap_block and
later frees the vmap_area, since Process 2 was holding the rcu lock at
this time vmap_block will still be present in and Process 2 accesse it and
thereby it tries to access vmap_area of that vmap_block which was already
freed by Process 1 and this results in use after free.

Fix this by adding a check for vb->dirty before accessing vmap_area
structure since vb->dirty will be set to VMAP_BBMAP_BITS in purge path
checking for this will prevent the use after free.

Change-Id: Ibba0e2ee0d0f049aa0158b78b086aeaad6b70f68
Link: https://lkml.kernel.org/r/1616062105-23263-1-git-send-email-vjitta@codeaurora.org
Signed-off-by: Vijayanand Jitta <vjitta@codeaurora.org>
Git-Commit: ad216c0316ad6391d90f4de0a7f59396b2925a06
Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-07-29 20:47:17 -07:00
..
kasan Merge android-5.4-stable.45 (a9a13ee) into msm-5.4 2020-07-09 17:51:24 -07:00
backing-dev.c bdi: add a ->dev_name field to struct backing_dev_info 2020-05-14 07:58:30 +02:00
balloon_compaction.c mm/balloon_compaction: suppress allocation warnings 2019-09-04 07:42:01 -04:00
cleancache.c
cma_debug.c Revert "Revert "mm: cma: make writeable CMA debugfs optional"" 2020-12-17 15:22:06 +05:30
cma.c Merge android11-5.4.86+ (7d99cf8) into msm-5.4 2021-06-07 15:17:29 +05:30
cma.h
compaction.c mem-offline: improve the effective utilization of movable zone 2020-09-04 06:15:14 -07:00
debug_page_ref.c
debug.c mm/debug.c: always print flags in dump_page() 2020-03-05 16:43:51 +01:00
dmapool.c
early_ioremap.c
fadvise.c fs: Export generic_fadvise() 2019-08-30 22:43:58 -07:00
failslab.c
filemap.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
frame_vector.c mm: untag user pointers in get_vaddr_frames 2019-09-25 17:51:41 -07:00
frontswap.c
gup_benchmark.c mm/gup: fix memory leak in __gup_benchmark_ioctl 2020-01-09 10:20:00 +01:00
gup.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
highmem.c
hmm.c pagewalk: separate function pointers from iterator data 2019-09-07 04:28:04 -03:00
huge_memory.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
hugetlb_cgroup.c mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() 2019-11-15 18:34:00 -08:00
hugetlb.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
hwpoison-inject.c
init-mm.c mm: protect mm_rb tree with a rwlock 2020-06-11 16:02:05 +05:30
internal.h mm: provide speculative fault infrastructure 2020-06-11 16:02:05 +05:30
interval_tree.c
Kconfig Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
Kconfig.debug mm, page_owner: set page owner info for tail pages 2020-02-27 15:13:14 -08:00
khugepaged.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
kmemleak-test.c
kmemleak.c mm/kmemleak.c: use address-of operator on section symbols 2020-10-01 13:17:53 +02:00
ksm.c mm/ksm: Remove reuse_ksm_page() 2020-11-30 18:16:52 -08:00
list_lru.c mm: list_lru: set shrinker map bit when child nr_items is not zero 2020-12-11 13:23:31 +01:00
maccess.c uaccess: Add non-pagefault user-space write function 2020-01-17 19:48:40 +01:00
madvise.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
Makefile Merge "mm: Add notifier framework for showing memory" 2019-10-11 23:42:08 -07:00
memblock.c Merge android11-5.4.61+ (e0b1644) into msm-5.4 2020-12-18 12:47:46 +05:30
memcontrol.c mm: memcg/slab: fix root memcg vmstats 2020-11-24 13:29:24 +01:00
memfd.c mm: page cache: store only head pages in i_pages 2019-09-24 15:54:08 -07:00
memory_hotplug.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
memory-failure.c mm: Enhance per process reclaim to consider shared pages 2020-06-02 21:31:03 -07:00
memory.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
mempolicy.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
mempool.c
memremap.c mm/memory_hotplug: shrink zones when offlining memory 2020-01-09 10:19:56 +01:00
memtest.c
migrate.c mm/migrate: Pass vm_fault pointer to migrate_misplaced_page() 2020-06-11 16:02:03 +05:30
mincore.c mm: untag user pointers passed to memory syscalls 2019-09-25 17:51:41 -07:00
mlock.c mm: protect VMA modifications using VMA sequence count 2020-06-09 10:55:00 +05:30
mm_init.c
mmap.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
mmu_context.c mm: fix kthread_use_mm() vs TLB invalidate 2020-09-03 11:26:51 +02:00
mmu_gather.c mm/mmu_gather: invalidate TLB correctly on batch allocation failure and flush 2020-02-11 04:35:42 -08:00
mmu_notifier.c mm/mmu_notifiers: use the right return code for WARN_ON 2019-11-06 08:47:50 -08:00
mmzone.c
mprotect.c Revert "BACKPORT: FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once" 2021-01-18 16:25:18 +00:00
mremap.c Merge android-5.4-stable.45 (a9a13ee) into msm-5.4 2020-07-09 17:51:24 -07:00
msync.c mm: untag user pointers passed to memory syscalls 2019-09-25 17:51:41 -07:00
nommu.c x86/mm: split vmalloc_sync_all() 2020-03-25 08:25:58 +01:00
oom_kill.c Merge "mm/oom_kill: defer panic_on_oom for a timeout" 2020-11-11 23:35:25 -08:00
OWNERS ANDROID: Add OWNERS files referring to the respective android-mainline OWNERS 2021-04-01 13:45:14 +00:00
page_alloc.c Merge "Merge android11-5.4.86+ (5d7dfa3) into msm-5.4" 2021-04-26 08:14:44 -07:00
page_counter.c Revert "ANDROID: Revert: Merge 5.4.60 into android11-5.4" 2020-08-23 13:12:51 +02:00
page_ext.c mm: fix the page_owner initializing issue for arm32 2020-09-29 12:42:42 +08:00
page_idle.c
page_io.c Merge android-5.4.24 (ce5de62) into msm-5.4 2020-04-14 08:25:29 -07:00
page_isolation.c mm/memory_hotplug: drain per-cpu pages again during memory offline 2020-11-23 17:03:25 +05:30
page_owner.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
page_poison.c debug-pagealloc: Panic on pagealloc corruption 2020-08-25 11:46:48 -07:00
page_vma_mapped.c mm: introduce page_size() 2019-09-24 15:54:08 -07:00
page-writeback.c mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() 2020-01-23 08:22:41 +01:00
pagewalk.c mm: pagewalk: fix termination condition in walk_pte_range() 2020-10-01 13:17:30 +02:00
percpu-internal.h
percpu-km.c
percpu-stats.c
percpu-vm.c
percpu.c percpu: fix first chunk size calculation for populated bitmap 2020-09-23 12:40:45 +02:00
pgtable-generic.c
process_vm_access.c
readahead.c
rmap.c mm: introduce __page_add_new_anon_rmap() 2020-06-11 16:02:04 +05:30
rodata_test.c
shmem.c Merge android-5.4-stable.45 (a9a13ee) into msm-5.4 2020-07-09 17:51:24 -07:00
showmem.c mm: showmem: make the notifiers atomic 2019-10-10 12:39:04 -07:00
shuffle.c mm/shuffle: don't move pages between zones and don't read garbage memmaps 2020-09-03 11:26:51 +02:00
shuffle.h
slab_common.c soc: qcom: Enable slabinfo support in minidump 2020-09-07 09:23:52 -07:00
slab.c soc: qcom: Enable slabinfo support in minidump 2020-09-07 09:23:52 -07:00
slab.h mm: slab: make page_cgroup_ino() to recognize non-compound slab pages properly 2019-11-06 08:47:50 -08:00
slob.c UPSTREAM: mm/sl[uo]b: export __kmalloc_track(_node)_caller 2020-11-02 16:12:00 +00:00
slub.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
sparse-vmemmap.c
sparse.c mm/sparse: fix kernel crash with pfn_section_valid check 2020-04-01 11:02:03 +02:00
swap_cgroup.c
swap_slots.c mm: swap: Add null pointer check 2020-01-10 11:23:22 -08:00
swap_state.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
swap.c mm: introduce __lru_cache_add_active_or_unevictable 2020-06-11 16:02:03 +05:30
swapfile.c This is the 5.4.83 stable release 2020-12-11 15:00:01 +01:00
truncate.c mm/thp: allow dropping THP from page cache 2019-10-19 06:32:33 -04:00
usercopy.c mm: usercopy: skip stack page span check 2019-12-02 15:36:05 -08:00
userfaultfd.c Merge android-5.4.24 (ce5de62) into msm-5.4 2020-04-14 08:25:29 -07:00
util.c mm: add kvfree_sensitive() for freeing sensitive data objects 2020-06-17 16:40:23 +02:00
vmacache.c
vmalloc.c mm: vmalloc: prevent use after free in _vm_unmap_aliases 2021-07-29 20:47:17 -07:00
vmpressure.c mm/vmpressure.c: fix a signedness bug in vmpressure_register_event() 2019-10-07 15:47:19 -07:00
vmscan.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
vmstat.c Merge android11-5.4.61+ (8540985) into msm-5.4 2020-10-19 10:50:25 -07:00
workingset.c mm: workingset: remove zero-seek setting for shadow node shrinker 2020-04-06 23:51:59 -07:00
z3fold.c mm/z3fold.c: claim page in the beginning of free 2019-10-07 15:47:19 -07:00
zbud.c
zpool.c zpool: add malloc_support_movable to zpool_driver 2019-09-24 15:54:12 -07:00
zsmalloc.c Merge android11-5.4.86+ (75c93eb) into msm-5.4 2021-04-22 09:44:51 +05:30
zswap.c zswap: do not map same object twice 2019-09-24 15:54:12 -07:00