On Fri, Mar 01, 2019 at 03:06:06PM -0800, Todd Kjos wrote: > An munmap() on a binder device causes binder_vma_close() to be called > which clears the alloc->vma pointer. > > If direct reclaim causes binder_alloc_free_page() to be called, there > is a race where alloc->vma is read into a local vma pointer and then > used later after the mm->mmap_sem is acquired. This can result in > calling zap_page_range() with an invalid vma which manifests as a > use-after-free in zap_page_range(). > > The fix is to check alloc->vma after acquiring the mmap_sem (which we > were acquiring anyway) and skip zap_page_range() if it has changed > to NULL. > > Signed-off-by: Todd Kjos <tkjos@xxxxxxxxxx> > --- Any specific commit that this fixes? And should it be marked for stable releases? thanks, greg k-h _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
