moonjuice/kernel_arpi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ANDROID: arm64/mm: protect vm_file during speculative page fault handling

Browse Source 
Use vma->file_ref_count to protect vma->vm_file from destruction during
speculative page fault handling.

Bug: 234527424
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I4c826fd5ef45576566e1eb8f8f23d17e620e7fc9
This commit is contained in:
Suren Baghdasaryan
2022-06-08 11:04:52 -07:00
committed by Carlos Llamas
parent a3fe25d923
commit 0f4ea1e593
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
arch/arm64/mm/fault.c
View File

@@ -542,6 +542,7 @@ static int __kprobes do_page_fault(unsigned long far, unsigned int esr,
unsigned int mm_flags = FAULT_FLAG_DEFAULT;
unsigned long addr = untagged_addr(far);
#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
struct vm_area_struct *orig_vma = NULL;
struct vm_area_struct *vma;
struct vm_area_struct pvma;
unsigned long seq;
@@ -629,17 +630,29 @@ static int __kprobes do_page_fault(unsigned long far, unsigned int esr,
count_vm_spf_event(SPF_ABORT_NO_SPECULATE);
goto spf_abort;
}
if (vma->vm_file) {
if (!vma_get_file_ref(vma)) {
rcu_read_unlock();
count_vm_spf_event(SPF_ABORT_UNMAPPED);
goto spf_abort;
}
orig_vma = vma;
}
pvma = *vma;
rcu_read_unlock();
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY))
if (!mmap_seq_read_check(mm, seq, SPF_ABORT_VMA_COPY)) {
vma_put_file_ref(orig_vma);
goto spf_abort;
}
vma = &pvma;
if (!(vma->vm_flags & vm_flags)) {
count_vm_spf_event(SPF_ABORT_ACCESS_ERROR);
vma_put_file_ref(orig_vma);
goto spf_abort;
}
fault = do_handle_mm_fault(vma, addr & PAGE_MASK,
mm_flags | FAULT_FLAG_SPECULATIVE, seq, regs);
vma_put_file_ref(orig_vma);
/* Quick path to respond to signals */
if (fault_signal_pending(fault, regs)) {