I noticed this code in alloc_user_pages() in
drivers/staging/media/atomisp/pci/hmm/hmm_bo.c:
/*
* Convert user space virtual address into pages list
*/
static int alloc_user_pages(struct hmm_buffer_object *bo,
const void __user *userptr, bool cached)
{
int page_nr;
int i;
struct vm_area_struct *vma;
struct page **pages;
pages = [...]
[...]
mmap_read_lock(current->mm);
vma = find_vma(current->mm, (unsigned long)userptr);
mmap_read_unlock(current->mm);
if (!vma) {
[...]
return -EFAULT;
}
[...]
/*
* Handle frame buffer allocated in other kerenl space driver
* and map to user space
*/
[...]
if (vma->vm_flags & (VM_IO | VM_PFNMAP)) {
page_nr = pin_user_pages((unsigned long)userptr, bo->pgnr,
FOLL_LONGTERM | FOLL_WRITE,
pages, NULL);
bo->mem_type = HMM_BO_MEM_TYPE_PFN;
} else {
/*Handle frame buffer allocated in user space*/
[...]
page_nr = get_user_pages_fast((unsigned long)userptr,
(int)(bo->pgnr), 1, pages);
[...]
}
[...]
}
This code looks extremely dodgy to me. After
mmap_read_unlock(current->mm), the vma can be freed, and the following
access to vma->vm_flags can be a use-after-free. Also,
pin_user_pages() must be called with the mmap lock held, and you're
calling it without holding that lock.
