On Wed, Apr 24, 2019 at 10:35:56AM -0700, Todd Kjos wrote: > From: Todd Kjos <tkjos@xxxxxxxxxxx> > > commit 5cec2d2e5839f9c0fec319c523a911e0a7fd299f upstream. > > An munmap() on a binder device causes binder_vma_close() to be called > which clears the alloc->vma pointer. > > If direct reclaim causes binder_alloc_free_page() to be called, there > is a race where alloc->vma is read into a local vma pointer and then > used later after the mm->mmap_sem is acquired. This can result in > calling zap_page_range() with an invalid vma which manifests as a > use-after-free in zap_page_range(). > > The fix is to check alloc->vma after acquiring the mmap_sem (which we > were acquiring anyway) and skip zap_page_range() if it has changed > to NULL. > > Signed-off-by: Todd Kjos <tkjos@xxxxxxxxxx> > Reviewed-by: Joel Fernandes (Google) <joel@xxxxxxxxxxxxxxxxx> > Cc: stable <stable@xxxxxxxxxxxxxxx> # 5.0, 4.19, 4.14 > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > --- > Greg: This applies to 5.0, 4.19, 4.14. Not needed before 4.12. Thanks, now queued up. greg k-h
