From 940f3dad8f40d98e70ab04b75642e732aeb6005e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@google.com>
Date: Tue, 13 Jun 2023 19:37:39 +0000
Subject: [PATCH] Revert "binder: fix UAF of alloc->vma in race with munmap()"

This reverts commit 931ea1ed31be939c1efdbc49bc66d2a45684f9b4.

It breaks the Android KABI and will be brought back at a later time when
it is safe to do so.

Bug: 161946584
Change-Id: Ifd180da4679aa5a2b0ef2d55f7750f392a5597ea
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---
 drivers/android/binder_alloc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
index 7d10b7e4d767..8dc677f58ebb 100644
--- a/drivers/android/binder_alloc.c
+++ b/drivers/android/binder_alloc.c
@@ -213,7 +213,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
 		mm = alloc->mm;
 
 	if (mm) {
-		mmap_write_lock(mm);
+		mmap_read_lock(mm);
 		vma = alloc->vma;
 	}
 
@@ -271,7 +271,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
 		trace_binder_alloc_page_end(alloc, index);
 	}
 	if (mm) {
-		mmap_write_unlock(mm);
+		mmap_read_unlock(mm);
 		mmput(mm);
 	}
 	return 0;
@@ -304,7 +304,7 @@ err_page_ptr_cleared:
 	}
 err_no_vma:
 	if (mm) {
-		mmap_write_unlock(mm);
+		mmap_read_unlock(mm);
 		mmput(mm);
 	}
 	return vma ? -ENOMEM : -ESRCH;