diff options
| author | Jann Horn <jannh@google.com> | 2023-07-28 07:13:21 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-08-03 11:26:14 +0300 |
| commit | e872d6b6ea4947fb87f0d6ea1ef814019dbed89e (patch) | |
| tree | cdd9817bfb778254ba7cedd7b10c9c7a10e2cb43 /include/linux/workqueue_api.h | |
| parent | da84cd9b5e03464c177cabf9692853708626456f (diff) | |
| download | linux-e872d6b6ea4947fb87f0d6ea1ef814019dbed89e.tar.xz | |
mm/mempolicy: Take VMA lock before replacing policy
commit 6c21e066f9256ea1df6f88768f6ae1080b7cf509 upstream.
mbind() calls down into vma_replace_policy() without taking the per-VMA
locks, replaces the VMA's vma->vm_policy pointer, and frees the old
policy. That's bad; a concurrent page fault might still be using the
old policy (in vma_alloc_folio()), resulting in use-after-free.
Normally this will manifest as a use-after-free read first, but it can
result in memory corruption, including because vma_alloc_folio() can
call mpol_cond_put() on the freed policy, which conditionally changes
the policy's refcount member.
This bug is specific to CONFIG_NUMA, but it does also affect non-NUMA
systems as long as the kernel was built with CONFIG_NUMA.
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Fixes: 5e31275cc997 ("mm: add per-VMA lock and helper functions to control it")
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'include/linux/workqueue_api.h')
0 files changed, 0 insertions, 0 deletions