mm: rmap: fix use-after-free in __put_anon_vma [Linux 3.15]

This Linux kernel change "mm: rmap: fix use-after-free in __put_anon_vma" is included in the Linux 3.15 release. This change is authored by Andrey Ryabinin <a.ryabinin [at] samsung.com> on Fri Jun 6 19:09:30 2014 +0400. The commit for this change in Linux stable tree is 624483f (patch).

mm: rmap: fix use-after-free in __put_anon_vma

While working address sanitizer for kernel I've discovered
use-after-free bug in __put_anon_vma.

For the last anon_vma, anon_vma->root freed before child anon_vma.
Later in anon_vma_free(anon_vma) we are referencing to already freed
anon_vma->root to check rwsem.

This fixes it by freeing the child anon_vma before freeing
anon_vma->root.

Signed-off-by: Andrey Ryabinin <[email protected]>
Acked-by: Peter Zijlstra <[email protected]>
Cc: <[email protected]> # v3.0+
Signed-off-by: Linus Torvalds <[email protected]>

There are 3 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 mm/rmap.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mm/rmap.c b/mm/rmap.c
index 9c3e773..83bfafa 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1564,10 +1564,9 @@ void __put_anon_vma(struct anon_vma *anon_vma)
 {
    struct anon_vma *root = anon_vma->root;

+   anon_vma_free(anon_vma);
    if (root != anon_vma && atomic_dec_and_test(&root->refcount))
        anon_vma_free(root);
-
-   anon_vma_free(anon_vma);
 }

 static struct anon_vma *rmap_walk_anon_lock(struct page *page,

Leave a Reply

Your email address will not be published. Required fields are marked *