diff options
| author | Liam R. Howlett <[email protected]> | 2023-04-10 11:22:05 -0400 |
|---|---|---|
| committer | Andrew Morton <[email protected]> | 2023-04-16 10:41:25 -0700 |
| commit | f4e9e0e69468583c2c6d9d5c7bfc975e292bf188 (patch) | |
| tree | 59a04b1a768478338fa42c88c3edffbfa89305ba /scripts/gdb/linux/utils.py | |
| parent | 4737edbbdd4958ae29ca6a310a6a2fa4e0684b01 (diff) | |
mm/mempolicy: fix use-after-free of VMA iterator
set_mempolicy_home_node() iterates over a list of VMAs and calls
mbind_range() on each VMA, which also iterates over the singular list of
the VMA passed in and potentially splits the VMA. Since the VMA iterator
is not passed through, set_mempolicy_home_node() may now point to a stale
node in the VMA tree. This can result in a UAF as reported by syzbot.
Avoid the stale maple tree node by passing the VMA iterator through to the
underlying call to split_vma().
mbind_range() is also overly complicated, since there are two calling
functions and one already handles iterating over the VMAs. Simplify
mbind_range() to only handle merging and splitting of the VMAs.
Align the new loop in do_mbind() and existing loop in
set_mempolicy_home_node() to use the reduced mbind_range() function. This
allows for a single location of the range calculation and avoids
constantly looking up the previous VMA (since this is a loop over the
VMAs).
Link: https://lore.kernel.org/linux-mm/[email protected]/
Fixes: 66850be55e8e ("mm/mempolicy: use vma iterator & maple state instead of vma linked list")
Signed-off-by: Liam R. Howlett <[email protected]>
Reported-by: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
Tested-by: [email protected]
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Diffstat (limited to 'scripts/gdb/linux/utils.py')
0 files changed, 0 insertions, 0 deletions