android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6f61666ab1
android_kernel_xiaomi_sm8450/mm
History
Lokesh Gidra 6f61666ab1 ANDROID: userfaultfd: Fix use-after-free in userfaultfd_using_sigbus() 
In 582c6d188ec1 ("ANDROID: userfaultfd: allow SPF for
UFFD_FEATURE_SIGBUS on private+anon"), we allowed userfaultfd
registered VMAs using SIGBUS to be handled with SPF. But during
page-fault handling, before userfaultfd_ctx is dereferenced,
another thread may call userfaultfd_release(), unlink the VMA
and then deallocate the same userfaultfd_ctx, leaving a dangling
pointer behind for dereference.

It is insufficient to do the access under rcu read-lock as the context
may have been deallocated before entering the critical section. Checking
vma has not changed in the critical section ensures we are not looking at
dangling pointer to userfaultfd_ctx.

Change-Id: I9c3ba0f1352e49f0ea387b92c18b5f1b5dcad7f1
Signed-off-by: Lokesh Gidra <lokeshgidra@google.com>
Bug: 349936398
(cherry picked from commit c75b369e72da0283a20f794c0070c478b490f453)
2024-07-19 16:36:44 +00:00
..
damon UPSTREAM: mm/damon/vaddr-test: fix memory leak in damon_do_test_apply_three_regions() 2024-03-13 13:35:31 +00:00
kasan Revert "kasan: print the original fault addr when access invalid shadow" 2023-11-27 15:23:01 +00:00
kfence UPSTREAM: kfence: avoid passing -g for test 2023-09-08 12:39:57 +01:00
backing-dev.c writeback, cgroup: remove extra percpu_ref_exit() 2023-05-30 12:57:56 +01:00
balloon_compaction.c
cleancache.c
cma_debug.c FROMLIST: mm: cma: introduce gfp flag in cma_alloc instead of no_warn 2021-01-25 12:21:02 -08:00
cma_sysfs.c ANDROID: make cma_sysfs experimental 2021-03-25 19:20:18 +00:00
cma.c This is the 5.10.202 stable release 2023-12-08 16:26:36 +00:00
cma.h ANDROID: GKI: add OEM data in cma struct 2021-06-04 11:15:16 -07:00
compaction.c ANDROID: vendor_hook: Add hook to abort reclaim and compaction 2023-07-18 17:31:55 +00:00
debug_page_ref.c
debug_vm_pgtable.c mm/debug_vm_pgtable: remove pte entry from the page table 2022-02-08 18:30:35 +01:00
debug.c ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
dmapool.c
early_ioremap.c
fadvise.c
failslab.c
filemap.c This is the 5.10.197 stable release 2023-10-26 17:52:15 +00:00
frame_vector.c media: vb2: frame_vector.c: replace WARN_ONCE with a comment 2023-10-10 21:53:33 +02:00
frontswap.c
gup_benchmark.c
gup.c Merge 5.10.168 into android12-5.10-lts 2023-02-17 15:23:41 +00:00
highmem.c
hmm.c mm/hmm.c: allow VM_MIXEDMAP to work with hmm_range_fault 2022-01-27 10:54:36 +01:00
huge_memory.c This is the 5.10.176 stable release 2023-03-24 16:03:04 +00:00
hugetlb_cgroup.c hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings 2021-03-30 14:31:54 +02:00
hugetlb.c Merge 5.10.213 into android12-5.10-lts 2024-05-01 06:27:24 +00:00
hwpoison-inject.c
init-mm.c FROMLIST: mm: protect mm_rb tree with a rwlock 2021-01-22 18:00:57 +00:00
internal.h ANDROID: userfaultfd: Fix use-after-free in userfaultfd_using_sigbus() 2024-07-19 16:36:44 +00:00
interval_tree.c
ioremap.c
Kconfig ANDROID: mm: disable speculative page faults for CONFIG_NUMA 2022-11-27 09:32:29 -08:00
Kconfig.debug ANDROID: mm: introduce page_pinner 2021-04-30 09:13:34 -07:00
khugepaged.c This is the 5.10.179 stable release 2023-06-16 09:49:29 +00:00
kmemleak.c This is the 5.10.143 stable release 2022-09-22 14:38:08 +02:00
ksm.c BACKPORT: mm: don't be stuck to rmap lock on reclaim path 2022-10-11 16:33:36 +00:00
list_lru.c
maccess.c maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault() 2022-11-25 17:45:53 +01:00
madvise.c ANDROID: 16K: Use MADV_DONTNEED to save VMA padding pages. 2024-05-02 15:06:14 -07:00
Makefile ANDROID: 16K: Introduce /sys/kernel/mm/pgsize_miration/enabled 2024-05-02 15:06:11 -07:00
mapping_dirty_helpers.c
memblock.c This is the 5.10.169 stable release 2023-02-25 15:32:12 +00:00
memcontrol.c This is the 5.10.202 stable release 2023-12-08 16:26:36 +00:00
memfd.c memfd: check for non-NULL file_seals in memfd_create() syscall 2023-06-28 10:28:09 +02:00
memory_hotplug.c This is the 5.10.202 stable release 2023-12-08 16:26:36 +00:00
memory-failure.c This is the 5.10.208 stable release 2024-01-16 13:12:39 +00:00
memory.c ANDROID: userfaultfd: Fix use-after-free in userfaultfd_using_sigbus() 2024-07-19 16:36:44 +00:00
mempolicy.c Merge 5.10.168 into android12-5.10-lts 2023-02-17 15:23:41 +00:00
mempool.c FROMGIT: kasan: use separate (un)poison implementation for integrated init 2021-06-17 14:39:37 -07:00
memremap.c mm/memremap.c: map FS_DAX device memory as decrypted 2022-11-16 09:57:17 +01:00
memtest.c
migrate.c Merge 5.10.168 into android12-5.10-lts 2023-02-17 15:23:41 +00:00
mincore.c
mlock.c ANDROID: 16K: Handle pad VMA splits and merges 2024-05-02 15:06:14 -07:00
mm_init.c
mmap.c ANDROID: 16K: Handle pad VMA splits and merges 2024-05-02 15:06:14 -07:00
mmu_gather.c mm/khugepaged: fix GUP-fast interaction by sending IPI 2022-12-14 11:31:55 +01:00
mmu_notifier.c This is the 5.10.113 stable release 2022-05-12 11:23:35 +02:00
mmzone.c This is the 5.10.116 stable release 2022-05-16 08:45:59 +02:00
mprotect.c ANDROID: 16K: Handle pad VMA splits and merges 2024-05-02 15:06:14 -07:00
mremap.c ANDROID: mm: Fix VMA ref count after fast-mremap 2024-02-15 19:36:07 +00:00
msync.c
nommu.c ANDROID: mm: allow vmas with vm_ops to be speculatively handled 2021-04-23 18:42:39 -07:00
oom_kill.c BACKPORT: mm: update mark_victim tracepoints fields 2024-04-08 18:40:58 +00:00
page_alloc.c This is the 5.10.200 stable release 2023-11-26 14:07:49 +00:00
page_counter.c
page_ext.c UPSTREAM: mm/page_exit: fix kernel doc warning in page_ext_put() 2023-04-13 07:58:37 +01:00
page_idle.c BACKPORT: mm: don't be stuck to rmap lock on reclaim path 2022-10-11 16:33:36 +00:00
page_io.c ANDROID: vendor_hooks: Add hooks to record the I/O statistics of swap: 2022-06-30 03:00:23 +00:00
page_isolation.c ANDROID: mm: cma: skip problematic pageblock 2021-07-14 11:54:49 -07:00
page_owner.c ANDROID: mm: Export page_owner_inited and __set_page_owner 2023-08-29 23:09:59 +00:00
page_pinner.c ANDROID: page_pinner: prevent pp_buffer access before initialization 2023-03-23 13:28:36 -07:00
page_poison.c UPSTREAM: kasan: fix conflict with page poisoning 2021-07-19 20:39:17 +00:00
page_reporting.c
page_reporting.h
page_vma_mapped.c mm/thp: another PVMW_SYNC fix in page_vma_mapped_walk() 2021-06-30 08:47:29 -04:00
page-writeback.c This is the 5.10.210 stable release 2024-04-10 07:10:03 +00:00
pagewalk.c This is the 5.10.142 stable release 2022-09-22 13:46:39 +02:00
percpu-internal.h percpu: make pcpu_nr_empty_pop_pages per chunk type 2021-04-14 08:42:03 +02:00
percpu-km.c
percpu-stats.c percpu: make pcpu_nr_empty_pop_pages per chunk type 2021-04-14 08:42:03 +02:00
percpu-vm.c
percpu.c Merge 5.10.30 into android12-5.10 2021-04-15 14:23:41 +02:00
pgalloc-track.h
pgsize_migration.c ANDROID: 16K: Don't set padding vm_flags on 32-bit archs 2024-07-18 19:59:13 +00:00
pgtable-generic.c mm/thp: fix __split_huge_pmd_locked() on shmem migration entry 2021-06-30 08:47:26 -04:00
process_vm_access.c
ptdump.c This is the 5.10.142 stable release 2022-09-22 13:46:39 +02:00
readahead.c Merge 5.10.201 into android12-5.10-lts 2023-11-29 14:46:51 +00:00
rmap.c ANDROID: Export symbols to do reverse mapping within memcg in kernel modules. 2023-08-23 12:33:26 +00:00
rodata_test.c
shmem.c This is the 5.10.195 stable release 2023-09-19 11:32:32 +00:00
shuffle.c
shuffle.h
slab_common.c BACKPORT: mm: make minimum slab alignment a runtime property 2023-01-20 00:46:19 +00:00
slab.c BACKPORT: mm: make minimum slab alignment a runtime property 2023-01-20 00:46:19 +00:00
slab.h This is the 5.10.82 stable release 2021-11-26 15:37:44 +01:00
slob.c BACKPORT: mm: make minimum slab alignment a runtime property 2023-01-20 00:46:19 +00:00
slub.c This is the 5.10.146 stable release 2022-09-29 17:06:30 +02:00
sparse-vmemmap.c
sparse.c mm/sparsemem: fix race in accessing memory_section->usage 2024-02-23 08:42:00 +01:00
swap_cgroup.c
swap_slots.c ANDROID: sched: add restricted hooks to replace the former hooks 2022-10-24 14:26:09 +08:00
swap_state.c This is the 5.10.108 stable release 2022-03-23 12:30:33 +01:00
swap.c ANDROID: vendor_hooks: protect multi-mapcount pages in kernel 2022-08-03 20:10:45 +00:00
swapfile.c ANDROID: add vendor hook of add/delete/iterate node for swap_avail_heads 2023-09-15 19:58:39 +00:00
truncate.c mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() 2021-06-30 08:47:27 -04:00
usercopy.c mm/usercopy: return 1 from hardened_usercopy __setup() handler 2022-04-08 14:40:43 +02:00
userfaultfd.c Merge 5.10.211 into android12-5.10-lts 2024-04-16 15:38:10 +00:00
util.c This is the 5.10.210 stable release 2024-04-10 07:10:03 +00:00
vmacache.c
vmalloc.c This is the 5.10.193 stable release 2023-08-31 18:29:19 +00:00
vmpressure.c FROMLIST: mm, memcg: add mem_cgroup_disabled checks in vmpressure and swap-related functions 2021-07-12 18:26:15 -07:00
vmscan.c ANDROID: mm: Add vendor hooks for recording when kswapd finishing the reclaim job 2024-02-02 17:56:46 +00:00
vmstat.c This is the 5.10.116 stable release 2022-05-16 08:45:59 +02:00
workingset.c
z3fold.c mm/z3fold: use release_z3fold_page_locked() to release locked z3fold page 2021-07-14 16:56:51 +02:00
zbud.c
zpool.c
zsmalloc.c This is the 5.10.120 stable release 2022-07-23 16:09:48 +02:00
zswap.c