]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5c23946) | patch
mm: prevent get_user_pages() from overflowing page refcount
authorLinus Torvalds <torvalds@linux-foundation.org>
Thu, 11 Apr 2019 17:49:19 +0000 (10:49 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sun, 14 Apr 2019 17:00:04 +0000 (10:00 -0700)
commit332f562785f5fb68a29e76345a7a03a3a9e52cf8
tree23ee93c180e690ccd12257fb677fa9b40e1be53atree | snapshot
parent5c2394649b078cfaf76a84ffb7b2e1fabd086cb2commit | diff
mm: prevent get_user_pages() from overflowing page refcount

If the page refcount wraps around past zero, it will be freed while
there are still four billion references to it.  One of the possible
avenues for an attacker to try to make this happen is by doing direct IO
on a page multiple times.  This patch makes get_user_pages() refuse to
take a new page reference if there are already more than two billion
references to the page.

Reported-by: Jann Horn <jannh@google.com>
Acked-by: Matthew Wilcox <willy@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/gup.c diff | blob | history
mm/hugetlb.c diff | blob | history
Linux Kernel Source Tree.