shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-05 18:41:58 +09:00
Code Issues Packages Projects Releases Wiki Activity

ANDROID: mm: fix use-after free of page_ext in page_pinner

Browse Source 
Apply new page_ext refcounting scheme to page_pinner.

Bug: 236222283
Bug: 240196534
[surenb: extracted from aosp/2369529]
Change-Id: I3b64caf5a7e8ff316507cc3933f5b3696142268d
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
This commit is contained in:
Charan Teja Kalla
2022-08-18 19:20:00 +05:30
committed by Treehugger Robot
parent e6e6e1273d
commit 231a4cccec
1 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
mm/page_pinner.c
View File

@@ -150,7 +150,7 @@ void __free_page_pinner(struct page *page, unsigned int order)
if (!pp_buffer.buffer)
return;
page_ext = lookup_page_ext(page);
page_ext = page_ext_get(page);
if (unlikely(!page_ext))
return;
@@ -161,10 +161,6 @@ void __free_page_pinner(struct page *page, unsigned int order)
continue;
page_pinner = get_page_pinner(page_ext);
/* record page free call path */
page_ext = lookup_page_ext(page);
if (unlikely(!page_ext))
continue;
record.handle = save_stack(GFP_NOWAIT|__GFP_NOWARN);
record.ts_usec = (u64)ktime_to_us(ktime_get_boottime());
@@ -178,6 +174,7 @@ void __free_page_pinner(struct page *page, unsigned int order)
clear_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags);
page_ext = page_ext_next(page_ext);
}
page_ext_put(page_ext);
}
static ssize_t
@@ -245,7 +242,7 @@ err:
void __page_pinner_failure_detect(struct page *page)
{
struct page_ext *page_ext = lookup_page_ext(page);
struct page_ext *page_ext = page_ext_get(page);
struct page_pinner *page_pinner;
struct captured_pinner record;
u64 now;
@@ -253,8 +250,10 @@ void __page_pinner_failure_detect(struct page *page)
if (unlikely(!page_ext))
return;
if (test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags))
if (test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags)) {
page_ext_put(page_ext);
return;
}
now = (u64)ktime_to_us(ktime_get_boottime());
page_pinner = get_page_pinner(page_ext);
@@ -267,12 +266,13 @@ void __page_pinner_failure_detect(struct page *page)
capture_page_state(page, &record);
add_record(&pp_buffer, &record);
page_ext_put(page_ext);
}
EXPORT_SYMBOL_GPL(__page_pinner_failure_detect);
void __page_pinner_put_page(struct page *page)
{
struct page_ext *page_ext = lookup_page_ext(page);
struct page_ext *page_ext = page_ext_get(page);
struct page_pinner *page_pinner;
struct captured_pinner record;
u64 now, ts_usec;
@@ -280,8 +280,10 @@ void __page_pinner_put_page(struct page *page)
if (unlikely(!page_ext))
return;
if (!test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags))
if (!test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags)) {
page_ext_put(page_ext);
return;
}
page_pinner = get_page_pinner(page_ext);
record.handle = save_stack(GFP_NOWAIT|__GFP_NOWARN);
@@ -296,6 +298,7 @@ void __page_pinner_put_page(struct page *page)
capture_page_state(page, &record);
add_record(&pp_buffer, &record);
page_ext_put(page_ext);
}
EXPORT_SYMBOL_GPL(__page_pinner_put_page);