From c9acd461a2dabe2308a3bf009dca37ad742ff96a Mon Sep 17 00:00:00 2001 From: Suren Baghdasaryan Date: Wed, 8 Jun 2022 11:04:52 -0700 Subject: [PATCH] ANDROID: arm64/mm: protect vm_file during speculative page fault handling Use vma->file_ref_count to protect vma->vm_file from destruction during speculative page fault handling. Bug: 234527424 Signed-off-by: Suren Baghdasaryan Change-Id: I4c826fd5ef45576566e1eb8f8f23d17e620e7fc9 --- arch/arm64/mm/fault.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c index 59b56083da95..d14f977c3f47 100644 --- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -542,6 +542,7 @@ static int __kprobes do_page_fault(unsigned long far, unsigned int esr, unsigned int mm_flags = FAULT_FLAG_DEFAULT; unsigned long addr = untagged_addr(far); #ifdef CONFIG_SPECULATIVE_PAGE_FAULT + struct vm_area_struct *orig_vma = NULL; struct vm_area_struct *vma; struct vm_area_struct pvma; unsigned long seq; @@ -629,17 +630,29 @@ static int __kprobes do_page_fault(unsigned long far, unsigned int esr, count_vm_spf_event(SPF_ABORT_NO_SPECULATE); goto spf_abort; } + if (vma->vm_file) { + if (!vma_get_file_ref(vma)) { + rcu_read_unlock(); + count_vm_spf_event(SPF_ABORT_UNMAPPED); + goto spf_abort; + } + orig_vma = vma; + } pvma = *vma; rcu_read_unlock(); - if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY)) + if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY)) { + vma_put_file_ref(orig_vma); goto spf_abort; + } vma = &pvma; if (!(vma->vm_flags & vm_flags)) { count_vm_spf_event(SPF_ABORT_ACCESS_ERROR); + vma_put_file_ref(orig_vma); goto spf_abort; } fault = do_handle_mm_fault(vma, addr & PAGE_MASK, mm_flags | FAULT_FLAG_SPECULATIVE, seq, regs); + vma_put_file_ref(orig_vma); /* Quick path to respond to signals */ if (fault_signal_pending(fault, regs)) {