91b7584411
When adjacent vmas are being merged it can result in the vma that was
originally passed to madvise_update_vma being destroyed. In the current
implementation, the name parameter passed to madvise_update_vma points
directly to vma->anon_name->name and it is used after the call to
vma_merge. In the cases when vma_merge merges the original vma and
destroys it, this will result in use-after-free bug as shown below:
madvise_vma_behavior << passes vma->anon_name->name as name param
madvise_update_vma(name)
vma_merge
__vma_adjust
vm_area_free <-- frees the vma
replace_vma_anon_name(name) <-- UAF
Fix this by raising the name refcount and stabilizing it. Introduce
vma_anon_name_{get/put} API for this purpose.
Link: https://lkml.kernel.org/r/20220211013032.623763-1-surenb@google.com
Fixes: 9a10064f5625 ("mm: add a field to store names for private anonymous memory")
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Reported-by: syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com
Cc: Colin Cross <ccross@google.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Alexey Gladkov <legion@kernel.org>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Chris Hyser <chris.hyser@oracle.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Peter Collingbourne <pcc@google.com>
Cc: Xiaofeng Cao <caoxiaofeng@yulong.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 8cadf02b8d6dc771f05f5934c12e751481964039
https://github.com/hnaz/linux-mm.git master)
Bug: 218352794
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I30c00a89109ee842d40e5f4b21a35c07ad695903
171 lines
4.7 KiB
C
171 lines
4.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef LINUX_MM_INLINE_H
|
|
#define LINUX_MM_INLINE_H
|
|
|
|
#include <linux/huge_mm.h>
|
|
#include <linux/swap.h>
|
|
#include <linux/string.h>
|
|
|
|
/**
|
|
* page_is_file_lru - should the page be on a file LRU or anon LRU?
|
|
* @page: the page to test
|
|
*
|
|
* Returns 1 if @page is a regular filesystem backed page cache page or a lazily
|
|
* freed anonymous page (e.g. via MADV_FREE). Returns 0 if @page is a normal
|
|
* anonymous page, a tmpfs page or otherwise ram or swap backed page. Used by
|
|
* functions that manipulate the LRU lists, to sort a page onto the right LRU
|
|
* list.
|
|
*
|
|
* We would like to get this info without a page flag, but the state
|
|
* needs to survive until the page is last deleted from the LRU, which
|
|
* could be as far down as __page_cache_release.
|
|
*/
|
|
static inline int page_is_file_lru(struct page *page)
|
|
{
|
|
return !PageSwapBacked(page);
|
|
}
|
|
|
|
static __always_inline void update_lru_size(struct lruvec *lruvec,
|
|
enum lru_list lru, enum zone_type zid,
|
|
int nr_pages)
|
|
{
|
|
struct pglist_data *pgdat = lruvec_pgdat(lruvec);
|
|
|
|
__mod_lruvec_state(lruvec, NR_LRU_BASE + lru, nr_pages);
|
|
__mod_zone_page_state(&pgdat->node_zones[zid],
|
|
NR_ZONE_LRU_BASE + lru, nr_pages);
|
|
#ifdef CONFIG_MEMCG
|
|
mem_cgroup_update_lru_size(lruvec, lru, zid, nr_pages);
|
|
#endif
|
|
}
|
|
|
|
/**
|
|
* __clear_page_lru_flags - clear page lru flags before releasing a page
|
|
* @page: the page that was on lru and now has a zero reference
|
|
*/
|
|
static __always_inline void __clear_page_lru_flags(struct page *page)
|
|
{
|
|
VM_BUG_ON_PAGE(!PageLRU(page), page);
|
|
|
|
__ClearPageLRU(page);
|
|
|
|
/* this shouldn't happen, so leave the flags to bad_page() */
|
|
if (PageActive(page) && PageUnevictable(page))
|
|
return;
|
|
|
|
__ClearPageActive(page);
|
|
__ClearPageUnevictable(page);
|
|
}
|
|
|
|
/**
|
|
* page_lru - which LRU list should a page be on?
|
|
* @page: the page to test
|
|
*
|
|
* Returns the LRU list a page should be on, as an index
|
|
* into the array of LRU lists.
|
|
*/
|
|
static __always_inline enum lru_list page_lru(struct page *page)
|
|
{
|
|
enum lru_list lru;
|
|
|
|
VM_BUG_ON_PAGE(PageActive(page) && PageUnevictable(page), page);
|
|
|
|
if (PageUnevictable(page))
|
|
return LRU_UNEVICTABLE;
|
|
|
|
lru = page_is_file_lru(page) ? LRU_INACTIVE_FILE : LRU_INACTIVE_ANON;
|
|
if (PageActive(page))
|
|
lru += LRU_ACTIVE;
|
|
|
|
return lru;
|
|
}
|
|
|
|
static __always_inline void add_page_to_lru_list(struct page *page,
|
|
struct lruvec *lruvec)
|
|
{
|
|
enum lru_list lru = page_lru(page);
|
|
|
|
update_lru_size(lruvec, lru, page_zonenum(page), thp_nr_pages(page));
|
|
list_add(&page->lru, &lruvec->lists[lru]);
|
|
}
|
|
|
|
static __always_inline void add_page_to_lru_list_tail(struct page *page,
|
|
struct lruvec *lruvec)
|
|
{
|
|
enum lru_list lru = page_lru(page);
|
|
|
|
update_lru_size(lruvec, lru, page_zonenum(page), thp_nr_pages(page));
|
|
list_add_tail(&page->lru, &lruvec->lists[lru]);
|
|
}
|
|
|
|
static __always_inline void del_page_from_lru_list(struct page *page,
|
|
struct lruvec *lruvec)
|
|
{
|
|
list_del(&page->lru);
|
|
update_lru_size(lruvec, page_lru(page), page_zonenum(page),
|
|
-thp_nr_pages(page));
|
|
}
|
|
|
|
#ifdef CONFIG_ANON_VMA_NAME
|
|
/*
|
|
* mmap_lock should be read-locked when calling vma_anon_name() and while using
|
|
* the returned pointer.
|
|
*/
|
|
extern const char *vma_anon_name(struct vm_area_struct *vma);
|
|
|
|
/* mmap_lock should be read-locked */
|
|
extern struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma);
|
|
|
|
extern void vma_anon_name_put(struct anon_vma_name *anon_name);
|
|
|
|
/*
|
|
* mmap_lock should be read-locked for orig_vma->vm_mm.
|
|
* mmap_lock should be write-locked for new_vma->vm_mm or new_vma should be
|
|
* isolated.
|
|
*/
|
|
extern void dup_vma_anon_name(struct vm_area_struct *orig_vma,
|
|
struct vm_area_struct *new_vma);
|
|
|
|
/*
|
|
* mmap_lock should be write-locked or vma should have been isolated under
|
|
* write-locked mmap_lock protection.
|
|
*/
|
|
extern void free_vma_anon_name(struct vm_area_struct *vma);
|
|
|
|
/* mmap_lock should be read-locked */
|
|
static inline bool is_same_vma_anon_name(struct vm_area_struct *vma,
|
|
const char *name)
|
|
{
|
|
const char *vma_name = vma_anon_name(vma);
|
|
|
|
/* either both NULL, or pointers to same string */
|
|
if (vma_name == name)
|
|
return true;
|
|
|
|
return name && vma_name && !strcmp(name, vma_name);
|
|
}
|
|
#else /* CONFIG_ANON_VMA_NAME */
|
|
static inline const char *vma_anon_name(struct vm_area_struct *vma)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
static inline
|
|
struct anon_vma_name *vma_anon_name_get(struct vm_area_struct *vma)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
static inline void vma_anon_name_put(struct anon_vma_name *anon_name) {}
|
|
static inline void dup_vma_anon_name(struct vm_area_struct *orig_vma,
|
|
struct vm_area_struct *new_vma) {}
|
|
static inline void free_vma_anon_name(struct vm_area_struct *vma) {}
|
|
static inline bool is_same_vma_anon_name(struct vm_area_struct *vma,
|
|
const char *name)
|
|
{
|
|
return true;
|
|
}
|
|
#endif /* CONFIG_ANON_VMA_NAME */
|
|
|
|
#endif
|