Commit 624483f3 authored Jun 06, 2014 by Andrey Ryabinin Committed by Linus Torvalds Jun 06, 2014

mm: rmap: fix use-after-free in __put_anon_vma



While working address sanitizer for kernel I've discovered
use-after-free bug in __put_anon_vma.

For the last anon_vma, anon_vma->root freed before child anon_vma.
Later in anon_vma_free(anon_vma) we are referencing to already freed
anon_vma->root to check rwsem.

This fixes it by freeing the child anon_vma before freeing
anon_vma->root.

Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: <stable@vger.kernel.org> # v3.0+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 951e2730

mm/rmap.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -1564,10 +1564,9 @@ void __put_anon_vma(struct anon_vma *anon_vma)
		{
		struct anon_vma *root = anon_vma->root;

		anon_vma_free(anon_vma);
		if (root != anon_vma && atomic_dec_and_test(&root->refcount))
		anon_vma_free(root);

		anon_vma_free(anon_vma);
		}

		static struct anon_vma rmap_walk_anon_lock(struct page page,

Admin message