a7y18lte-ubports/android_kernel_samsung_a7y18lte
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
eafbafad65
android_kernel_samsung_a7y1.../mm
History
Linus Torvalds 28f068a17b mm: prevent get_user_pages() from overflowing page refcount 
commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 upstream.

If the page refcount wraps around past zero, it will be freed while
there are still four billion references to it.  One of the possible
avenues for an attacker to try to make this happen is by doing direct IO
on a page multiple times.  This patch makes get_user_pages() refuse to
take a new page reference if there are already more than two billion
references to the page.

Reported-by: Jann Horn <jannh@google.com>
Acked-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ 4.4.y backport notes:
  Ajay:     - Added local variable 'err' with-in follow_hugetlb_page()
              from 2be7cfed995e, to resolve compilation error
            - Added page_ref_count()
            - Added missing refcount overflow checks on x86 and s390
              (Vlastimil, thanks for this change)
  Srivatsa: - Replaced call to get_page_foll() with try_get_page_foll() ]
Signed-off-by: Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
Signed-off-by: Ajay Kaher <akaher@vmware.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-07 14:08:50 +02:00
..
kasan A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
backing-dev.c writeback: synchronize sync(2) against cgroup writeback membership switches 2020-04-06 18:12:57 +02:00
balloon_compaction.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
bootmem.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
cleancache.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
cma_debug.c mm/cma_debug.c: fix the break condition in cma_maxchunk_get() 2020-04-06 19:01:41 +02:00
cma.c mm/cma.c: fail if fixed declaration can't be honored 2020-04-06 20:27:19 +02:00
cma.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
compaction.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
debug-pagealloc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
debug.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
dmapool.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
early_ioremap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
fadvise.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
failslab.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
filemap.c mm/filemap.c: don't initiate writeback if mapping has no dirty pages 2020-04-07 11:58:51 +02:00
frame_vector.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
frontswap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
gup.c mm: prevent get_user_pages() from overflowing page refcount 2020-04-07 14:08:50 +02:00
highmem.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hpa.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
huge_memory.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
hugetlb_cgroup.c mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup() 2020-04-07 12:26:33 +02:00
hugetlb.c mm: prevent get_user_pages() from overflowing page refcount 2020-04-07 14:08:50 +02:00
hwpoison-inject.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
init-mm.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
internal.h mm: add 'try_get_page()' helper function 2020-04-07 14:05:08 +02:00
interval_tree.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
io_record.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Kconfig.debug A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kmemcheck.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kmemleak-test.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
kmemleak.c mm/kmemleak.c: fix check for softirq context 2020-04-06 20:16:21 +02:00
ksm.c mm/ksm.c: don't WARN if page is still mapped in remove_stable_node() 2020-04-07 12:33:44 +02:00
list_lru.c mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node 2020-04-06 19:02:54 +02:00
maccess.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
madvise.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
Makefile A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
memblock.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
memcontrol.c mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm() 2020-04-07 12:26:31 +02:00
memory_hotplug.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
memory-failure.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
memory.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mempolicy.c mm/mempolicy.c: fix out of bounds write in mpol_parse_str() 2020-04-07 13:48:18 +02:00
mempool.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
memtest.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
migrate.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mincore.c mm/mincore.c: make mincore() more conservative 2020-04-06 18:12:28 +02:00
mlock.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mm_init.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mmap.c Revert "coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping" 2020-04-06 22:47:46 +05:30
mmu_context.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mmu_notifier.c mm/mmu_notifier: use hlist_add_head_rcu() 2020-04-06 20:16:25 +02:00
mmzone.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mprotect.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
mremap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
msync.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nobootmem.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
nommu.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
oom_kill.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
page_alloc.c mm/page_alloc.c: calculate 'available' memory in a separate function 2020-04-07 13:36:28 +02:00
page_counter.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
page_ext.c mm/page_ext.c: fix an imbalance with kmemleak 2020-04-06 14:22:59 +02:00
page_idle.c mm/page_idle.c: fix oops because end_pfn is larger than max_pfn 2020-04-06 19:14:16 +02:00
page_io.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
page_isolation.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
page_owner.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
page-writeback.c mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() 2020-04-07 13:37:49 +02:00
pagewalk.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
percpu-km.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
percpu-vm.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
percpu.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
pgtable-generic.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
process_vm_access.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
quicklist.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
readahead.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
rmap.c mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON 2020-04-06 11:16:40 +02:00
shmem.c mm/shmem.c: cast the type of unmap_start to u64 2020-04-07 13:08:06 +02:00
showmem_extra.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
slab_common.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
slab.c mm/slab.c: kmemleak no scan alien caches 2020-04-06 14:23:23 +02:00
slab.h A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
slob.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
slub.c mm/slub: fix a deadlock in show_slab_objects() 2020-04-07 09:26:52 +02:00
sparse-vmemmap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
sparse.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
swap_cgroup.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
swap_state.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
swap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
swapfile.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
truncate.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
usercopy.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
userfaultfd.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
util.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
vmacache.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
vmalloc.c mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() 2020-04-06 20:38:23 +02:00
vmpressure.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
vmscan.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
vmstat.c mm, vmstat: hide /proc/pagetypeinfo from normal users 2020-04-07 11:48:32 +02:00
workingset.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
zbud.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
zpool.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
zsmalloc.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30
zswap.c A750FXXU4CTBC 2020-03-27 21:51:54 +05:30