Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / d972ebbf42ba6712460308ae57c222a0706f2af3
commitd972ebbf42ba6712460308ae57c222a0706f2af3[log] [tgz]
authorLinus Torvalds <torvalds@linux-foundation.org>Thu Apr 11 10:49:19 2019 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Sat May 04 09:20:11 2019 +0200
treea772b21386424f5b233e40a30ac11b149e820521
parent0612cae7ec6b79d2ff1b34562bab79d5bf96327a [diff]
mm: prevent get_user_pages() from overflowing page refcount

commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 upstream.

If the page refcount wraps around past zero, it will be freed while
there are still four billion references to it.  One of the possible
avenues for an attacker to try to make this happen is by doing direct IO
on a page multiple times.  This patch makes get_user_pages() refuse to
take a new page reference if there are already more than two billion
references to the page.

Reported-by: Jann Horn <jannh@google.com>
Acked-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2 files changed
tree: a772b21386424f5b233e40a30ac11b149e820521
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .clang-format
  25. .cocciconfig
  26. .get_maintainer.ignore
  27. .gitattributes
  28. .gitignore
  29. .mailmap
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. README