Commit 6c21e06
mm/mempolicy: Take VMA lock before replacing policy
mbind() calls down into vma_replace_policy() without taking the per-VMA
locks, replaces the VMA's vma->vm_policy pointer, and frees the old
policy. That's bad; a concurrent page fault might still be using the
old policy (in vma_alloc_folio()), resulting in use-after-free.
Normally this will manifest as a use-after-free read first, but it can
result in memory corruption, including because vma_alloc_folio() can
call mpol_cond_put() on the freed policy, which conditionally changes
the policy's refcount member.
This bug is specific to CONFIG_NUMA, but it does also affect non-NUMA
systems as long as the kernel was built with CONFIG_NUMA.
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Suren Baghdasaryan <surenb@google.com>
Fixes: 5e31275 ("mm: add per-VMA lock and helper functions to control it")
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>1 parent 57012c5 commit 6c21e06
1 file changed
Lines changed: 14 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
384 | 384 | | |
385 | 385 | | |
386 | 386 | | |
387 | | - | |
| 387 | + | |
| 388 | + | |
388 | 389 | | |
| 390 | + | |
389 | 391 | | |
390 | 392 | | |
391 | 393 | | |
| |||
768 | 770 | | |
769 | 771 | | |
770 | 772 | | |
| 773 | + | |
| 774 | + | |
771 | 775 | | |
772 | 776 | | |
773 | 777 | | |
| |||
1313 | 1317 | | |
1314 | 1318 | | |
1315 | 1319 | | |
| 1320 | + | |
| 1321 | + | |
| 1322 | + | |
| 1323 | + | |
| 1324 | + | |
| 1325 | + | |
| 1326 | + | |
| 1327 | + | |
1316 | 1328 | | |
1317 | 1329 | | |
1318 | 1330 | | |
| |||
1538 | 1550 | | |
1539 | 1551 | | |
1540 | 1552 | | |
| 1553 | + | |
1541 | 1554 | | |
1542 | 1555 | | |
1543 | 1556 | | |
| |||
0 commit comments