tmakin/ack-tegra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ANDROID: mm: fix use-after free of page_ext in page_pinner

Browse Source 
Apply new page_ext refcounting scheme to page_pinner.

Bug: 236222283
Bug: 240196534
[surenb: extracted from aosp/2369529]
Change-Id: I3b64caf5a7e8ff316507cc3933f5b3696142268d
Signed-off-by: Charan Teja Kalla <quic_charante@quicinc.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
(cherry picked from commit 231a4cccec448391d8c1d7610fece41628aafbfc)
Signed-off-by: Georgi Djakov <quic_c_gdjako@quicinc.com>
This commit is contained in:
Charan Teja Kalla
2022-08-18 19:20:00 +05:30
committed by Suren Baghdasaryan
parent 26084a409c
commit 4adae0ea21
1 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mm/page_pinner.c
+12 -9
View File
@@ -153,7 +153,7 @@ void __free_page_pinner(struct page *page, unsigned int order)
if (!pp_buffer.buffer)
return;
page_ext = lookup_page_ext(page);
page_ext = page_ext_get(page);
if (unlikely(!page_ext))
return;
@@ -164,10 +164,6 @@ void __free_page_pinner(struct page *page, unsigned int order)
continue;
page_pinner = get_page_pinner(page_ext);
/* record page free call path */
page_ext = lookup_page_ext(page);
if (unlikely(!page_ext))
continue;
record.handle = save_stack(GFP_NOWAIT|__GFP_NOWARN);
record.ts_usec = (u64)ktime_to_us(ktime_get_boottime());
@@ -181,6 +177,7 @@ void __free_page_pinner(struct page *page, unsigned int order)
clear_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags);
page_ext = page_ext_next(page_ext);
}
page_ext_put(page_ext);
}
static ssize_t
@@ -248,7 +245,7 @@ err:
void __page_pinner_failure_detect(struct page *page)
{
struct page_ext *page_ext = lookup_page_ext(page);
struct page_ext *page_ext = page_ext_get(page);
struct page_pinner *page_pinner;
struct captured_pinner record;
u64 now;
@@ -256,8 +253,10 @@ void __page_pinner_failure_detect(struct page *page)
if (unlikely(!page_ext))
return;
if (test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags))
if (test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags)) {
page_ext_put(page_ext);
return;
}
now = (u64)ktime_to_us(ktime_get_boottime());
page_pinner = get_page_pinner(page_ext);
@@ -270,12 +269,13 @@ void __page_pinner_failure_detect(struct page *page)
capture_page_state(page, &record);
add_record(&pp_buffer, &record);
page_ext_put(page_ext);
}
EXPORT_SYMBOL_GPL(__page_pinner_failure_detect);
void __page_pinner_put_page(struct page *page)
{
struct page_ext *page_ext = lookup_page_ext(page);
struct page_ext *page_ext = page_ext_get(page);
struct page_pinner *page_pinner;
struct captured_pinner record;
u64 now, ts_usec;
@@ -283,8 +283,10 @@ void __page_pinner_put_page(struct page *page)
if (unlikely(!page_ext))
return;
if (!test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags))
if (!test_bit(PAGE_EXT_PINNER_MIGRATION_FAILED, &page_ext->flags)) {
page_ext_put(page_ext);
return;
}
page_pinner = get_page_pinner(page_ext);
record.handle = save_stack(GFP_NOWAIT|__GFP_NOWARN);
@@ -299,6 +301,7 @@ void __page_pinner_put_page(struct page *page)
capture_page_state(page, &record);
add_record(&pp_buffer, &record);
page_ext_put(page_ext);
}
EXPORT_SYMBOL_GPL(__page_pinner_put_page);