On Fri, Mar 1, 2019 at 11:57 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > On Fri, Mar 01, 2019 at 03:06:06PM -0800, Todd Kjos wrote: > > An munmap() on a binder device causes binder_vma_close() to be called > > which clears the alloc->vma pointer. > > > > If direct reclaim causes binder_alloc_free_page() to be called, there > > is a race where alloc->vma is read into a local vma pointer and then > > used later after the mm->mmap_sem is acquired. This can result in > > calling zap_page_range() with an invalid vma which manifests as a > > use-after-free in zap_page_range(). > > > > The fix is to check alloc->vma after acquiring the mmap_sem (which we > > were acquiring anyway) and skip zap_page_range() if it has changed > > to NULL. > > > > Signed-off-by: Todd Kjos <tkjos@xxxxxxxxxx> > > --- > > Any specific commit that this fixes? No, it's been there a long time. > And should it be marked for stable releases? It is needed in stable (back to 4.4), but will need to be backported. Should I post backported versions targeting the specific releases now? I was thinking we'd wait for this one to land. I think we'll need 1 patch for 4.4/4.9 and a second one for 4.14/4.19 (and some of those backported patches will have conflicts when merged down to android-4.X -- I think the 4.14/4.19 version will apply to all the android branches). Let me know how you want to handle this. > > thanks, > > greg k-h _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
