mm: prevent get_user_pages() from overflowing page refcount - user/sven/linux.git

diff options

author	Linus Torvalds <torvalds@linux-foundation.org>	2019-04-11 10:49:19 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-05-04 09:20:11 +0200
commit	d972ebbf42ba6712460308ae57c222a0706f2af3 (patch)
tree	a772b21386424f5b233e40a30ac11b149e820521 /include
parent	0612cae7ec6b79d2ff1b34562bab79d5bf96327a (diff)

mm: prevent get_user_pages() from overflowing page refcount

commit 8fde12ca79aff9b5ba951fce1a2641901b8d8e64 upstream. If the page refcount wraps around past zero, it will be freed while there are still four billion references to it. One of the possible avenues for an attacker to try to make this happen is by doing direct IO on a page multiple times. This patch makes get_user_pages() refuse to take a new page reference if there are already more than two billion references to the page. Reported-by: Jann Horn <jannh@google.com> Acked-by: Matthew Wilcox <willy@infradead.org> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'include')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: