Commit d59ebc9
mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway
commit 98b74bb upstream.
Syzbot reports a UAF in hugetlb_fault(). This happens because
vmf_anon_prepare() could drop the per-VMA lock and allow the current VMA
to be freed before hugetlb_vma_unlock_read() is called.
We can fix this by using a modified version of vmf_anon_prepare() that
doesn't release the VMA lock on failure, and then release it ourselves
after hugetlb_vma_unlock_read().
Link: https://lkml.kernel.org/r/20240914194243.245-2-vishal.moola@gmail.com
Fixes: 9acad7b ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()")
Reported-by: syzbot+2dab93857ee95f2eeb08@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-mm/00000000000067c20b06219fbc26@google.com/
Signed-off-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
Cc: Muchun Song <muchun.song@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>1 parent a5d3b94 commit d59ebc9
1 file changed
Lines changed: 18 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6076 | 6076 | | |
6077 | 6077 | | |
6078 | 6078 | | |
6079 | | - | |
| 6079 | + | |
6080 | 6080 | | |
6081 | 6081 | | |
6082 | 6082 | | |
| |||
6275 | 6275 | | |
6276 | 6276 | | |
6277 | 6277 | | |
6278 | | - | |
| 6278 | + | |
6279 | 6279 | | |
6280 | 6280 | | |
6281 | 6281 | | |
| |||
6406 | 6406 | | |
6407 | 6407 | | |
6408 | 6408 | | |
| 6409 | + | |
| 6410 | + | |
| 6411 | + | |
| 6412 | + | |
| 6413 | + | |
| 6414 | + | |
| 6415 | + | |
| 6416 | + | |
6409 | 6417 | | |
6410 | 6418 | | |
6411 | 6419 | | |
| |||
6627 | 6635 | | |
6628 | 6636 | | |
6629 | 6637 | | |
| 6638 | + | |
| 6639 | + | |
| 6640 | + | |
| 6641 | + | |
| 6642 | + | |
| 6643 | + | |
| 6644 | + | |
| 6645 | + | |
6630 | 6646 | | |
6631 | 6647 | | |
6632 | 6648 | | |
| |||
0 commit comments