android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
143ac63130
android_kernel_xiaomi_sm8450/mm
History
Vijayanand Jitta f72f41f50c UPSTREAM: mm: vmalloc: prevent use after free in _vm_unmap_aliases 
A potential use after free can occur in _vm_unmap_aliases where an already
freed vmap_area could be accessed, Consider the following scenario:

Process 1						Process 2

__vm_unmap_aliases					__vm_unmap_aliases
	purge_fragmented_blocks_allcpus				rcu_read_lock()
		rcu_read_lock()
			list_del_rcu(&vb->free_list)
									list_for_each_entry_rcu(vb .. )
	__purge_vmap_area_lazy
		kmem_cache_free(va)
										va_start = vb->va->va_start

Here Process 1 is in purge path and it does list_del_rcu on vmap_block and
later frees the vmap_area, since Process 2 was holding the rcu lock at
this time vmap_block will still be present in and Process 2 accesse it and
thereby it tries to access vmap_area of that vmap_block which was already
freed by Process 1 and this results in use after free.

Fix this by adding a check for vb->dirty before accessing vmap_area
structure since vb->dirty will be set to VMAP_BBMAP_BITS in purge path
checking for this will prevent the use after free.

Link: https://lkml.kernel.org/r/1616062105-23263-1-git-send-email-vjitta@codeaurora.org
Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Bug: 205658047
(cherry picked from commit ad216c0316ad6391d90f4de0a7f59396b2925a06
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git)

Change-Id: I450781b5734570d1b9e8c63ac29ad3635c8e49bb
Signed-off-by: Vijayanand Jitta <vjitta@codeaurora.org>
2021-11-09 17:29:42 +00:00
..
kasan UPSTREAM: arm64: kasan: mte: use a constant kernel GCR_EL1 value 2021-10-01 09:39:35 -07:00
kfence UPSTREAM: kfence: use TASK_IDLE when awaiting allocation 2021-08-27 12:26:09 -07:00
backing-dev.c bdi: replace BDI_CAP_NO_{WRITEBACK,ACCT_DIRTY} with a single flag 2020-09-24 13:43:39 -06:00
balloon_compaction.c mm/balloon_compaction: suppress allocation warnings 2019-09-04 07:42:01 -04:00
cleancache.c Driver Core and debugfs changes for 5.3-rc1 2019-07-12 12:24:03 -07:00
cma_debug.c FROMLIST: mm: cma: introduce gfp flag in cma_alloc instead of no_warn 2021-01-25 12:21:02 -08:00
cma_sysfs.c ANDROID: make cma_sysfs experimental 2021-03-25 19:20:18 +00:00
cma.c ANDROID: mm: cma: disable LRU cache early 2021-10-20 17:33:35 +00:00
cma.h ANDROID: GKI: add OEM data in cma struct 2021-06-04 11:15:16 -07:00
compaction.c UPSTREAM: mm/compaction: correct deferral logic for proactive compaction 2021-07-21 22:18:24 +00:00
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: ensure THP availability via has_transparent_hugepage() 2021-07-14 16:56:13 +02:00
debug.c ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
dmapool.c mm/dmapool.c: replace hard coded function name with __func__ 2020-10-13 18:38:32 -07:00
early_ioremap.c mm/early_ioremap.c: use %pa to print resource_size_t variables 2020-01-31 10:30:38 -08:00
fadvise.c mm, fadvise: improve the expensive remote LRU cache draining after FADV_DONTNEED 2020-10-13 18:38:29 -07:00
failslab.c mm/failslab.c: by default, do not fail allocations with direct reclaim only 2019-07-12 11:05:43 -07:00
filemap.c ANDROID: mm: unlock the page on speculative fault retry 2021-09-14 17:43:45 +00:00
frame_vector.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
frontswap.c mm/frontswap: mark various intentional data races 2020-08-14 19:56:56 -07:00
gup_benchmark.c mm/gup_benchmark: take the mmap lock around GUP 2020-10-18 09:27:09 -07:00
gup.c This is the 5.10.50 stable release 2021-07-14 17:35:23 +02:00
highmem.c mm/highmem.c: clean up endif comments 2020-10-16 11:11:18 -07:00
hmm.c mm: do page fault accounting in handle_mm_fault 2020-08-12 10:58:02 -07:00
huge_memory.c This is the 5.10.53 stable release 2021-07-25 15:37:14 +02:00
hugetlb_cgroup.c hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings 2021-03-30 14:31:54 +02:00
hugetlb.c This is the 5.10.50 stable release 2021-07-14 17:35:23 +02:00
hwpoison-inject.c mm,hwpoison-inject: don't pin for hwpoison_filter 2020-10-16 11:11:16 -07:00
init-mm.c FROMLIST: mm: protect mm_rb tree with a rwlock 2021-01-22 18:00:57 +00:00
internal.h Linux 5.10.47 2021-06-30 19:38:46 +02:00
interval_tree.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 248 2019-06-19 17:09:08 +02:00
ioremap.c mm: move p?d_alloc_track to separate header file 2020-08-07 11:33:26 -07:00
Kconfig FROMLIST: mm: cma: support sysfs 2021-03-25 19:20:09 +00:00
Kconfig.debug ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
khugepaged.c This is the 5.10.50 stable release 2021-07-14 17:35:23 +02:00
kmemleak.c UPSTREAM: kasan, kmemleak: reset tags when scanning block 2021-08-30 07:02:08 +00:00
ksm.c Merge 5.10.38 into android12-5.10 2021-05-20 15:35:25 +02:00
list_lru.c mm: list_lru: set shrinker map bit when child nr_items is not zero 2020-12-06 10:19:07 -08:00
maccess.c uaccess: add force_uaccess_{begin,end} helpers 2020-08-12 10:57:59 -07:00
madvise.c FROMLIST: mm/madvise: add MADV_WILLNEED to process_madvise() 2021-08-16 15:13:13 +00:00
Makefile ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
mapping_dirty_helpers.c mm/mapping_dirty_helpers: update huge page-table entry callbacks 2020-04-02 09:35:29 -07:00
memblock.c This is the 5.10.54 stable release 2021-07-28 15:23:47 +02:00
memcontrol.c This is the 5.10.50 stable release 2021-07-14 17:35:23 +02:00
memfd.c mm: page cache: store only head pages in i_pages 2019-09-24 15:54:08 -07:00
memory_hotplug.c ANDROID: mm: cma: skip problematic pageblock 2021-07-14 11:54:49 -07:00
memory-failure.c mm,hwpoison: return -EBUSY when migration fails 2021-07-19 09:44:56 +02:00
memory.c ANDROID: Fix mmu_notifier imbalance 2021-11-01 16:47:30 +00:00
mempolicy.c FROMLIST: mm: replace migrate_[prep|finish] with lru_cache_[disable|enable] 2021-03-23 04:05:24 +00:00
mempool.c FROMGIT: kasan: use separate (un)poison implementation for integrated init 2021-06-17 14:39:37 -07:00
memremap.c mm: fix memory_failure() handling of dax-namespace metadata 2021-03-04 11:38:21 +01:00
memtest.c
migrate.c Linux 5.10.47 2021-06-30 19:38:46 +02:00
mincore.c mm: factor find_get_incore_page out of mincore_page 2020-10-13 18:38:29 -07:00
mlock.c ANDROID: mm: page_pinner: unattribute follow_page in munlock_vma_pages_range 2021-04-30 09:13:35 -07:00
mm_init.c mm: adjust vm_committed_as_batch according to vm overcommit policy 2020-08-07 11:33:26 -07:00
mmap.c ANDROID: vendor_hooks: Add hook in mmap_region() 2021-09-06 16:51:38 +08:00
mmu_gather.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
mmu_notifier.c mm/mmu_notifiers: ensure range_end() is paired with range_start() 2021-03-30 14:32:06 +02:00
mmzone.c ANDROID: mm: export zone_watermark_ok 2021-02-25 19:36:38 +00:00
mprotect.c FROMGIT: mm: improve mprotect(R|W) efficiency on pages referenced once 2021-06-15 19:33:15 +00:00
mremap.c UPSTREAM: mm/mremap: fix BUILD_BUG_ON() error in get_extent 2021-10-21 08:33:12 -07:00
msync.c mmap locking API: use coccinelle to convert mmap_sem rwsem call sites 2020-06-09 09:39:14 -07:00
nommu.c ANDROID: mm: allow vmas with vm_ops to be speculatively handled 2021-04-23 18:42:39 -07:00
oom_kill.c ANDROID: signal: Add vendor hook for memory reaping 2021-06-03 20:59:15 +00:00
page_alloc.c This is the 5.10.64 stable release 2021-09-12 09:17:13 +02:00
page_counter.c mm/page_counter: correct the obsolete func name in the comment of page_counter_try_charge() 2020-10-13 18:38:30 -07:00
page_ext.c ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
page_idle.c mm/page_idle.c: skip offline pages 2020-06-08 11:05:55 -07:00
page_io.c UPSTREAM: mm/page_io: use pr_alert_ratelimited for swap read/write errors 2021-03-30 18:44:11 +00:00
page_isolation.c ANDROID: mm: cma: skip problematic pageblock 2021-07-14 11:54:49 -07:00
page_owner.c ANDROID: mm: Make page_owner_enabled global 2021-04-01 00:09:00 +00:00
page_pinner.c Revert "ANDROID: mm: page_pinner: use EXPORT_SYMBOL_GPL" 2021-09-23 23:47:26 +00:00
page_poison.c UPSTREAM: kasan: fix conflict with page poisoning 2021-07-19 20:39:17 +00:00
page_reporting.c mm: rename page_order() to buddy_order() 2020-10-16 11:11:19 -07:00
page_reporting.h mm: introduce include/linux/pgtable.h 2020-06-09 09:39:13 -07:00
page_vma_mapped.c mm/thp: another PVMW_SYNC fix in page_vma_mapped_walk() 2021-06-30 08:47:29 -04:00
page-writeback.c ANDROID: vendor_hooks: add hook to balance_dirty_pages() 2021-05-20 19:38:42 +00:00
pagewalk.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
percpu-internal.h percpu: make pcpu_nr_empty_pop_pages per chunk type 2021-04-14 08:42:03 +02:00
percpu-km.c mm: memcg/percpu: account percpu memory to memory cgroups 2020-08-12 10:57:55 -07:00
percpu-stats.c percpu: make pcpu_nr_empty_pop_pages per chunk type 2021-04-14 08:42:03 +02:00
percpu-vm.c mm: memcg/percpu: account percpu memory to memory cgroups 2020-08-12 10:57:55 -07:00
percpu.c Merge 5.10.30 into android12-5.10 2021-04-15 14:23:41 +02:00
pgalloc-track.h mm: move p?d_alloc_track to separate header file 2020-08-07 11:33:26 -07:00
pgtable-generic.c mm/thp: fix __split_huge_pmd_locked() on shmem migration entry 2021-06-30 08:47:26 -04:00
process_vm_access.c mm/process_vm_access.c: include compat.h 2021-01-19 18:27:21 +01:00
ptdump.c This is the 5.10.32 stable release 2021-04-22 11:12:08 +02:00
readahead.c ANDROID: mm: Create vendor hooks to control ZONE_MOVABLE allocations 2020-12-01 18:07:54 +00:00
rmap.c Merge branch 'android12-5.10' into android12-5.10-lts 2021-09-13 18:12:07 +02:00
rodata_test.c mm/rodata_test.c: fix missing function declaration 2020-08-21 09:52:53 -07:00
shmem.c This is the 5.10.53 stable release 2021-07-25 15:37:14 +02:00
shuffle.c mm: rename page_order() to buddy_order() 2020-10-16 11:11:19 -07:00
shuffle.h mm/shuffle: remove dynamic reconfiguration 2020-08-07 11:33:29 -07:00
slab_common.c Merge tag 'android12-5.10.66_r00' into android12-5.10 2021-10-21 09:45:02 +02:00
slab.c Merge 5.10.37 into android12-5.10 2021-05-15 09:28:55 +02:00
slab.h Merge branch 'android12-5.10' into android12-5.10-lts 2021-07-22 13:32:27 +02:00
slob.c mm: memcg: convert vmstat slab counters to bytes 2020-08-07 11:33:24 -07:00
slub.c UPSTREAM: mm, slub: move slub_debug static key enabling outside slab_mutex 2021-09-16 11:46:17 +08:00
sparse-vmemmap.c mm/sparse: only sub-section aligned range would be populated 2020-08-07 11:33:27 -07:00
sparse.c mm/sparse: add the missing sparse_buffer_fini() in error branch 2021-05-14 09:50:45 +02:00
swap_cgroup.c mm: memcontrol: make swap tracking an integral part of memory control 2020-06-03 20:09:48 -07:00
swap_slots.c mm/swap_slots.c: remove always zero and unused return value of enable_swap_slots_cache() 2020-10-13 18:38:30 -07:00
swap_state.c FROMLIST: mm: protect VMA modifications using VMA sequence count 2021-01-22 17:59:47 +00:00
swap.c BACKPORT: UPSTREAM: mm: fs: invalidate bh_lrus for only cold path 2021-09-27 17:48:37 -07:00
swapfile.c Merge branch 'android12-5.10' into android12-5.10-lts 2021-07-13 15:00:50 +02:00
truncate.c mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() 2021-06-30 08:47:27 -04:00
usercopy.c mm/usercopy.c: delete duplicated word 2020-08-12 10:57:58 -07:00
userfaultfd.c FROMGIT: userfaultfd/shmem: modify shmem_mfill_atomic_pte to use install_pte() 2021-06-04 19:13:10 +00:00
util.c ANDROID: android: export kernel function arch_mmap_rnd 2021-07-09 20:51:14 +00:00
vmacache.c kernel: better document the use_mm/unuse_mm API contract 2020-06-10 19:14:18 -07:00
vmalloc.c UPSTREAM: mm: vmalloc: prevent use after free in _vm_unmap_aliases 2021-11-09 17:29:42 +00:00
vmpressure.c FROMLIST: mm, memcg: add mem_cgroup_disabled checks in vmpressure and swap-related functions 2021-07-12 18:26:15 -07:00
vmscan.c Linux 5.10.61 2021-08-27 20:51:37 +02:00
vmstat.c ANDROID: mm: allow vmas with vm_ops to be speculatively handled 2021-04-23 18:42:39 -07:00
workingset.c XArray updates for 5.9 2020-10-20 14:39:37 -07:00
z3fold.c mm/z3fold: use release_z3fold_page_locked() to release locked z3fold page 2021-07-14 16:56:51 +02:00
zbud.c mm/zbud: remove redundant initialization 2020-10-13 18:38:34 -07:00
zpool.c mm/zpool.c: delete duplicated word and fix grammar 2020-08-12 10:57:58 -07:00
zsmalloc.c This is the 5.10.21 stable release 2021-03-07 12:53:30 +01:00
zswap.c mm/zswap: allow setting default status, compressor and allocator in Kconfig 2020-04-07 10:43:41 -07:00