d3a52e0ec2
An munmap() on a binder device causes binder_vma_close() to be called which clears the alloc->vma pointer. If direct reclaim causes binder_alloc_free_page() to be called, there is a race where alloc->vma is read into a local vma pointer and then used later after the mm->mmap_sem is acquired. This can result in calling zap_page_range() with an invalid vma which manifests as a use-after-free in zap_page_range(). The fix is to check alloc->vma after acquiring the mmap_sem (which we were acquiring anyway) and bail out of binder_alloc_free_page() if it has changed to NULL. Change-Id: I9ea0558a57635a747d7a48ed35991d39b860abf6 Signed-off-by: Todd Kjos <tkjos@google.com> (cherry picked from commit 7257eac9401f989a62503b6c12a47af1b10591d1) |
||
|---|---|---|
| .. | ||
| binder.c | ||
| binder_alloc.c | ||
| binder_alloc.h | ||
| binder_alloc_selftest.c | ||
| binder_trace.h | ||
| Kconfig | ||
| Makefile | ||