mm/z3fold: fix z3fold_page_migrate races with z3fold_map - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Miaohe Lin <linmiaohe@huawei.com>	2022-04-29 14:40:43 +0800
committer	akpm <akpm@linux-foundation.org>	2022-05-27 09:33:44 -0700
commit	943fb61dd66f475c25b1ef5dddb647070f2e89a1 (patch)
tree	0f867eb3f6ae071634813a1284fa8833eb2eec4d /mm/mprotect.c
parent	04094226d6ce8c0cb590891e13872109aa6722f1 (diff)
download	linux-943fb61dd66f475c25b1ef5dddb647070f2e89a1.tar.bz2

mm/z3fold: fix z3fold_page_migrate races with z3fold_map

Think about the below scenario: CPU1 CPU2 z3fold_page_migrate z3fold_map z3fold_page_trylock ... z3fold_page_unlock /* slots still points to old zhdr*/ get_z3fold_header get slots from handle get old zhdr from slots z3fold_page_trylock return *old* zhdr encode_handle(new_zhdr, FIRST|LAST|MIDDLE) put_page(page) /* zhdr is freed! */ but zhdr is still used by caller! z3fold_map can map freed z3fold page and lead to use-after-free bug. To fix it, we add PAGE_MIGRATED to indicate z3fold page is migrated and soon to be released. So get_z3fold_header won't return such page. Link: https://lkml.kernel.org/r/20220429064051.61552-10-linmiaohe@huawei.com Fixes: 1f862989b04a ("mm/z3fold.c: support page migration") Signed-off-by: Miaohe Lin <linmiaohe@huawei.com> Reviewed-by: Vitaly Wool <vitaly.wool@konsulko.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

Diffstat (limited to 'mm/mprotect.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: