On Sat, Mar 02, 2019 at 08:27:44AM -0800, Todd Kjos wrote: > On Fri, Mar 1, 2019 at 11:57 PM Greg KH <gre...@linuxfoundation.org> wrote: > > > > On Fri, Mar 01, 2019 at 03:06:06PM -0800, Todd Kjos wrote: > > > An munmap() on a binder device causes binder_vma_close() to be called > > > which clears the alloc->vma pointer. > > > > > > If direct reclaim causes binder_alloc_free_page() to be called, there > > > is a race where alloc->vma is read into a local vma pointer and then > > > used later after the mm->mmap_sem is acquired. This can result in > > > calling zap_page_range() with an invalid vma which manifests as a > > > use-after-free in zap_page_range(). > > > > > > The fix is to check alloc->vma after acquiring the mmap_sem (which we > > > were acquiring anyway) and skip zap_page_range() if it has changed > > > to NULL. > > > > > > Signed-off-by: Todd Kjos <tk...@google.com>
Awesome patch, Reviewed-by: Joel Fernandes (Google) <j...@joelfernandes.org> thanks! - Joel > > > --- > > > > Any specific commit that this fixes? > > No, it's been there a long time. > > > And should it be marked for stable releases? > > It is needed in stable (back to 4.4), but will need to be backported. > Should I post backported versions targeting the specific releases now? > I was thinking we'd wait for this one to land. I think we'll need 1 > patch for 4.4/4.9 and a second one for 4.14/4.19 (and some of those > backported patches will have conflicts when merged down to android-4.X > -- I think the 4.14/4.19 version will apply to all the android > branches). Let me know how you want to handle this. > > > > > thanks, > > > > greg k-h
