shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-06 02:50:49 +09:00
Code Issues Packages Projects Releases Wiki Activity

Revert "FROMGIT: mm: fix use-after-free when anon vma name is used after vma is freed"

Browse Source 
This reverts commit 91b7584411.

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ic9b7399bc4649e68cad9ac7017225262a2dea579
This commit is contained in:
Suren Baghdasaryan
2022-03-24 18:29:49 -07:00
parent 928b638950
commit 7ff2a03673
2 changed files with 17 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
include/linux/mm_inline.h
View File

@@ -113,11 +113,6 @@ static __always_inline void del_page_from_lru_list(struct page *page,
*/
extern const char *vma_anon_name(struct vm_area_struct *vma);
/* mmap_lock should be read-locked */
extern struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma);
extern void vma_anon_name_put(struct anon_vma_name *anon_name);
/*
* mmap_lock should be read-locked for orig_vma->vm_mm.
* mmap_lock should be write-locked for new_vma->vm_mm or new_vma should be
@@ -149,14 +144,6 @@ static inline const char *vma_anon_name(struct vm_area_struct *vma)
{
return NULL;
}
static inline
struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma)
{
return NULL;
}
static inline void vma_anon_name_put(struct anon_vma_name *anon_name) {}
static inline void dup_vma_anon_name(struct vm_area_struct *orig_vma,
struct vm_area_struct *new_vma) {}
static inline void free_vma_anon_name(struct vm_area_struct *vma) {}

67
mm/madvise.c
View File

@@ -70,9 +70,6 @@ static struct anon_vma_name *anon_vma_name_alloc(const char *name)
struct anon_vma_name *anon_name;
size_t count;
if (!name)
return NULL;
/* Add 1 for NUL terminator at the end of the anon_name->name */
count = strlen(name) + 1;
anon_name = kmalloc(struct_size(anon_name, name, count), GFP_KERNEL);
@@ -106,23 +103,6 @@ const char *vma_anon_name(struct vm_area_struct *vma)
return vma->anon_name->name;
}
struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma)
{
if (!has_vma_anon_name(vma))
return NULL;
mmap_assert_locked(vma->vm_mm);
kref_get(&vma->anon_name->kref);
return vma->anon_name;
}
void vma_anon_name_put(struct anon_vma_name *anon_name)
{
if (anon_name)
kref_put(&anon_name->kref, vma_anon_name_free);
}
void dup_vma_anon_name(struct vm_area_struct *orig_vma,
struct vm_area_struct *new_vma)
{
@@ -146,34 +126,33 @@ void free_vma_anon_name(struct vm_area_struct *vma)
}
/* mmap_lock should be write-locked */
static int replace_vma_anon_name(struct vm_area_struct *vma,
struct anon_vma_name *anon_name)
static int replace_vma_anon_name(struct vm_area_struct *vma, const char *name)
{
const char *orig_name;
const char *anon_name;
if (!anon_name) {
if (!name) {
free_vma_anon_name(vma);
return 0;
}
orig_name = vma_anon_name(vma);
if (orig_name) {
anon_name = vma_anon_name(vma);
if (anon_name) {
/* Same name, nothing to do here */
if (!strcmp(anon_name->name, orig_name))
if (!strcmp(name, anon_name))
return 0;
free_vma_anon_name(vma);
}
kref_get(&anon_name->kref);
vma->anon_name = anon_name;
vma->anon_name = anon_vma_name_alloc(name);
if (!vma->anon_name)
return -ENOMEM;
return 0;
}
#else /* CONFIG_ANON_VMA_NAME */
static int replace_vma_anon_name(struct vm_area_struct *vma,
struct anon_vma_name *anon_name)
static int replace_vma_anon_name(struct vm_area_struct *vma, const char *name)
{
if (anon_name)
if (name)
return -EINVAL;
return 0;
@@ -182,15 +161,12 @@ static int replace_vma_anon_name(struct vm_area_struct *vma,
/*
* Update the vm_flags on region of a vma, splitting it or merging it as
* necessary. Must be called with mmap_sem held for writing;
* Caller should ensure anon_name stability by raising its refcount even when
* anon_name belongs to a valid vma because this function might free that vma.
*/
static int madvise_update_vma(struct vm_area_struct *vma,
struct vm_area_struct **prev, unsigned long start,
unsigned long end, unsigned long new_flags,
struct anon_vma_name *anon_name)
const char *name)
{
const char *name = anon_name ? anon_name->name : NULL;
struct mm_struct *mm = vma->vm_mm;
int error;
pgoff_t pgoff;
@@ -233,7 +209,7 @@ success:
*/
vma->vm_flags = new_flags;
if (!vma->vm_file) {
error = replace_vma_anon_name(vma, anon_name);
error = replace_vma_anon_name(vma, name);
if (error)
return error;
}
@@ -1000,7 +976,6 @@ static int madvise_vma_behavior(struct vm_area_struct *vma,
{
int error;
unsigned long new_flags = vma->vm_flags;
struct anon_vma_name *anon_name;
switch (behavior) {
case MADV_REMOVE:
@@ -1065,10 +1040,8 @@ static int madvise_vma_behavior(struct vm_area_struct *vma,
break;
}
anon_name = vma_anon_name_get(vma);
error = madvise_update_vma(vma, prev, start, end, new_flags,
anon_name);
vma_anon_name_put(anon_name);
vma_anon_name(vma));
out:
/*
@@ -1252,7 +1225,7 @@ int madvise_walk_vmas(struct mm_struct *mm, unsigned long start,
static int madvise_vma_anon_name(struct vm_area_struct *vma,
struct vm_area_struct **prev,
unsigned long start, unsigned long end,
unsigned long anon_name)
unsigned long name)
{
int error;
@@ -1261,7 +1234,7 @@ static int madvise_vma_anon_name(struct vm_area_struct *vma,
return -EBADF;
error = madvise_update_vma(vma, prev, start, end, vma->vm_flags,
(struct anon_vma_name *)anon_name);
(const char *)name);
/*
* madvise() returns EAGAIN if kernel resources, such as
@@ -1275,10 +1248,8 @@ static int madvise_vma_anon_name(struct vm_area_struct *vma,
int madvise_set_anon_name(struct mm_struct *mm, unsigned long start,
unsigned long len_in, const char *name)
{
struct anon_vma_name *anon_name;
unsigned long end;
unsigned long len;
int ret;
if (start & ~PAGE_MASK)
return -EINVAL;
@@ -1295,12 +1266,8 @@ int madvise_set_anon_name(struct mm_struct *mm, unsigned long start,
if (end == start)
return 0;
anon_name = anon_vma_name_alloc(name);
ret = madvise_walk_vmas(mm, start, end, (unsigned long)anon_name,
return madvise_walk_vmas(mm, start, end, (unsigned long)name,
madvise_vma_anon_name);
vma_anon_name_put(anon_name);
return ret;
}
#endif /* CONFIG_ANON_VMA_NAME */
/*