From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Ryabinin <a.ryabinin@samsung.com>,
Peter Zijlstra <peterz@infradead.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 3.10 34/40] mm: rmap: fix use-after-free in __put_anon_vma
Date: Mon, 9 Jun 2014 15:49:05 -0700 [thread overview]
Message-ID: <20140609224840.299507085@linuxfoundation.org> (raw)
In-Reply-To: <20140609224839.127615063@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ryabinin <a.ryabinin@samsung.com>
commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream.
While working address sanitizer for kernel I've discovered
use-after-free bug in __put_anon_vma.
For the last anon_vma, anon_vma->root freed before child anon_vma.
Later in anon_vma_free(anon_vma) we are referencing to already freed
anon_vma->root to check rwsem.
This fixes it by freeing the child anon_vma before freeing
anon_vma->root.
Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/rmap.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1675,10 +1675,9 @@ void __put_anon_vma(struct anon_vma *ano
{
struct anon_vma *root = anon_vma->root;
+ anon_vma_free(anon_vma);
if (root != anon_vma && atomic_dec_and_test(&root->refcount))
anon_vma_free(root);
-
- anon_vma_free(anon_vma);
}
#ifdef CONFIG_MIGRATION
next prev parent reply other threads:[~2014-06-09 22:46 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-09 22:48 [PATCH 3.10 00/40] 3.10.43-stable review Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 01/40] sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri check Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 02/40] sched: Sanitize irq accounting madness Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 03/40] perf: Prevent false warning in perf_swevent_add Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 04/40] perf: Limit perf_event_attr::sample_period to 63 bits Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 05/40] perf: Fix race in removing an event Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 06/40] perf evsel: Fix printing of perf_event_paranoid message Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 07/40] mm/memory-failure.c: fix memory leak by race between poison and unpoison Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 08/40] Documentation: fix DOCBOOKS=... building Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 09/40] hwmon: (ntc_thermistor) Fix dependencies Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 10/40] hwmon: (ntc_thermistor) Fix OF device ID mapping Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 11/40] drm/gf119-/disp: fix nasty bug which can clobber SOR0s clock setup Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 16/40] ARM: OMAP4: Fix the boot regression with CPU_IDLE enabled Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 17/40] ARM: 8051/1: put_user: fix possible data corruption in put_user Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 18/40] dm cache: always split discards on cache block boundaries Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 19/40] sched: Fix hotplug vs. set_cpus_allowed_ptr() Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 20/40] drm/i915: Only copy back the modified fields to userspace from execbuffer Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 21/40] md: always set MD_RECOVERY_INTR when aborting a reshape or other "resync" Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 22/40] md: always set MD_RECOVERY_INTR when interrupting a reshape thread Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 24/40] Staging: speakup: Move pasting into a work item Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 25/40] staging: comedi: ni_daq_700: add mux settling delay Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 26/40] ALSA: hda/realtek - Correction of fixup codes for PB V7900 laptop Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 27/40] ALSA: hda/realtek - Fix COEF widget NID for ALC260 replacer fixup Greg Kroah-Hartman
2014-06-09 22:48 ` [PATCH 3.10 28/40] USB: ftdi_sio: add NovaTech OrionLXm product ID Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 31/40] USB: serial: option: add support for Novatel E371 PCIe card Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 32/40] USB: io_ti: fix firmware download on big-endian machines (part 2) Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 33/40] USB: Avoid runtime suspend loops for HCDs that cant handle suspend/resume Greg Kroah-Hartman
2014-06-09 22:49 ` Greg Kroah-Hartman [this message]
2014-06-09 22:49 ` [PATCH 3.10 35/40] iser-target: Add missing target_put_sess_cmd for ImmedateData failure Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 36/40] perf: Drop sample rate when sampling is too slow Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 37/40] perf: Fix interrupt handler timing harness Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 38/40] perf: Enforce 1 as lower limit for perf_event_max_sample_rate Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 39/40] ARM: perf: hook up perf_sample_event_took around pmu irq handling Greg Kroah-Hartman
2014-06-09 22:49 ` [PATCH 3.10 40/40] netfilter: Fix potential use after free in ip6_route_me_harder() Greg Kroah-Hartman
2014-06-10 15:16 ` [PATCH 3.10 00/40] 3.10.43-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140609224840.299507085@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=a.ryabinin@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox