| commit | 994bc24c5ff4a586ac2b00872678cb266dad4c01 | [log] [tgz] |
|---|---|---|
| author | Linus Torvalds <[email protected]> | Thu Apr 11 17:49:19 2019 |
| committer | ChromeOS Commit Bot <[email protected]> | Fri May 10 16:57:31 2019 |
| tree | d81f1e555130294b8b2befd32acae51b6324aa1c | |
| parent | 3fdbcc13aa523d8292adf7e0faf7fd37cc90fd35 [diff] |
FROMGIT: mm: prevent get_user_pages() from overflowing page refcount commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 upstream. If the page refcount wraps around past zero, it will be freed while there are still four billion references to it. One of the possible avenues for an attacker to try to make this happen is by doing direct IO on a page multiple times. This patch makes get_user_pages() refuse to take a new page reference if there are already more than two billion references to the page. Reported-by: Jann Horn <[email protected]> Acked-by: Matthew Wilcox <[email protected]> Cc: [email protected] Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 04198de24771f6aaf6374979db64403101d809df git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y) BUG=chromium:958318 TEST=trybots Change-Id: Ie358cdcd735d62934857eb80e9528ceeffd4f311 Signed-off-by: Guenter Roeck <[email protected]> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1599254 Reviewed-by: Sean Paul <[email protected]>