NothingOSS/android_kernel_msm-6.1_nothing_sm7635
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revert "binder: fix UAF of alloc->vma in race with munmap()"

Browse source 
This reverts commit 931ea1ed31.

It breaks the Android KABI and will be brought back at a later time when
it is safe to do so.

Bug: 161946584
Change-Id: Ifd180da4679aa5a2b0ef2d55f7750f392a5597ea
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This commit is contained in:
Greg Kroah-Hartman 2023-06-13 19:37:39 +00:00
parent 03c3264a15
commit 940f3dad8f
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
drivers/android/binder_alloc.c
View file

@ -213,7 +213,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
mm = alloc->mm; mm = alloc->mm;
if (mm) { if (mm) {
mmap_write_lock(mm); mmap_read_lock(mm);
vma = alloc->vma; vma = alloc->vma;
} }
@ -271,7 +271,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
trace_binder_alloc_page_end(alloc, index); trace_binder_alloc_page_end(alloc, index);
} }
if (mm) { if (mm) {
mmap_write_unlock(mm); mmap_read_unlock(mm);
mmput(mm); mmput(mm);
} }
return 0; return 0;
@ -304,7 +304,7 @@ err_page_ptr_cleared:
} }
err_no_vma: err_no_vma:
if (mm) { if (mm) {
mmap_write_unlock(mm); mmap_read_unlock(mm);
mmput(mm); mmput(mm);
} }
return vma ? -ENOMEM : -ESRCH; return vma ? -ENOMEM : -ESRCH;