| Message ID | 1403558268-29514-1-git-send-email-kamal@canonical.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/mm/rmap.c b/mm/rmap.c index da8e2cf..770320b 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -1696,10 +1696,9 @@ void __put_anon_vma(struct anon_vma *anon_vma) { struct anon_vma *root = anon_vma->root; + anon_vma_free(anon_vma); if (root != anon_vma && atomic_dec_and_test(&root->refcount)) anon_vma_free(root); - - anon_vma_free(anon_vma); } #ifdef CONFIG_MIGRATION
This is a note to let you know that I have just added a patch titled mm: rmap: fix use-after-free in __put_anon_vma to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue This patch is scheduled to be released in version 3.8.13.25. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.8.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ------ From 53a486967819bd39c5315f6f7b72796ab79ca26c Mon Sep 17 00:00:00 2001 From: Andrey Ryabinin <a.ryabinin@samsung.com> Date: Fri, 6 Jun 2014 19:09:30 +0400 Subject: [PATCH 66/66] mm: rmap: fix use-after-free in __put_anon_vma commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream. While working address sanitizer for kernel I've discovered use-after-free bug in __put_anon_vma. For the last anon_vma, anon_vma->root freed before child anon_vma. Later in anon_vma_free(anon_vma) we are referencing to already freed anon_vma->root to check rwsem. This fixes it by freeing the child anon_vma before freeing anon_vma->root. Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> --- mm/rmap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 1.9.1