Emulation/switch-linux
1
0
Fork 0
mirror of https://github.com/fail0verflow/switch-linux.git synced 2025-05-04 02:34:21 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
switch-linux/kernel
History
David Rientjes c11600e4fe mm, mempolicy: task->mempolicy must be NULL before dropping final reference 
KASAN allocates memory from the page allocator as part of
kmem_cache_free(), and that can reference current->mempolicy through any
number of allocation functions.  It needs to be NULL'd out before the
final reference is dropped to prevent a use-after-free bug:

	BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c
	CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140
	...
	Call Trace:
		dump_stack
		kasan_object_err
		kasan_report_error
		__asan_report_load2_noabort
		alloc_pages_current	<-- use after free
		depot_save_stack
		save_stack
		kasan_slab_free
		kmem_cache_free
		__mpol_put		<-- free
		do_exit

This patch sets current->mempolicy to NULL before dropping the final
reference.

Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com
Fixes: cd11016e5f ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
Signed-off-by: David Rientjes <rientjes@google.com>
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>	[4.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-09-01 17:52:01 -07:00
..
bpf bpf: fix bpf_skb_in_cgroup helper naming 2016-08-12 21:53:33 -07:00
configs kconfig: tinyconfig: provide whole choice blocks to avoid warnings 2016-09-01 17:52:01 -07:00
debug
events perf/core: Use this_cpu_ptr() when stopping AUX events 2016-08-24 15:03:10 +02:00
gcov
irq genirq/affinity: Use get/put_online_cpus around cpumask operations 2016-08-22 11:22:44 +02:00
livepatch
locking
power Merge branch 'pm-sleep' 2016-08-18 03:27:08 +02:00
printk printk/nmi: avoid direct printk()-s from __printk_nmi_flush() 2016-09-01 17:52:01 -07:00
rcu
sched sched/cputime: Resync steal time when guest & host lose sync 2016-08-18 11:19:48 +02:00
time timekeeping: Cap array access in timekeeping_debug 2016-08-24 09:34:32 +02:00
trace block: Fix secure erase 2016-08-16 09:16:51 -06:00
.gitignore
acct.c
async.c
audit.c
audit.h
audit_fsnotify.c
audit_tree.c
audit_watch.c
auditfilter.c
auditsc.c
backtracetest.c
bounds.c
capability.c
cgroup.c
cgroup_freezer.c
cgroup_pids.c
compat.c
configs.c
context_tracking.c
cpu.c
cpu_pm.c
cpuset.c
crash_dump.c
cred.c
delayacct.c
dma.c
elfcore.c
exec_domain.c
exit.c mm, mempolicy: task->mempolicy must be NULL before dropping final reference 2016-09-01 17:52:01 -07:00
extable.c
fork.c cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork 2016-08-17 09:54:52 -04:00
freezer.c
futex.c
futex_compat.c
groups.c
hung_task.c
irq_work.c
jump_label.c
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kexec.c
kexec_core.c
kexec_file.c kexec: fix double-free when failing to relocate the purgatory 2016-09-01 17:52:01 -07:00
kexec_internal.h
kmod.c
kprobes.c
ksysfs.c
kthread.c
latencytop.c
Makefile
membarrier.c
memremap.c
module-internal.h
module.c
module_signing.c
notifier.c
nsproxy.c
padata.c
panic.c
params.c
pid.c
pid_namespace.c
profile.c
ptrace.c
range.c
reboot.c
relay.c
resource.c
seccomp.c seccomp: Fix tracer exit notifications during fatal signals 2016-08-30 16:12:46 -07:00
signal.c
smp.c
smpboot.c
smpboot.h
softirq.c
stacktrace.c
stop_machine.c
sys.c
sys_ni.c
sysctl.c sysctl: handle error writing UINT_MAX to u32 fields 2016-08-26 17:39:35 -07:00
sysctl_binary.c
task_work.c
taskstats.c
test_kprobes.c
torture.c
tracepoint.c
tsacct.c
uid16.c
up.c
user-return-notifier.c
user.c
user_namespace.c
utsname.c
utsname_sysctl.c
watchdog.c
workqueue.c
workqueue_internal.h