ANDROID: fix a race between speculative page walk and unmap operations
Speculative page fault walks the page tables under RCU protection and
assumes that page tables are stable after ptl lock is taken. Current
implementation has three issues:
1. While pmd can't be destroyed while in RCU read section, it can be
cleared and result in an invalid ptl lock address. Fix that by
rechecking pmd value after obtaining ptl lock.
2. In case of CONFIG_ALLOC_SPLIT_PTLOCKS, ptl lock is separate from the
pmd and is destroyed by a synchronous call to pgtable_pmd_page_dtor,
which can happen while page walker is in RCU section. Prevent this by
adding a dependency for CONFIG_SPECULATIVE_PAGE_FAULT to require
!CONIG_ALLOC_SPLIT_PTLOCKS.
3. Below sequence when do_mmap happens after the last mmap_seq check
would result in use-after-free issue.
__pte_map_lock
rcu_read_lock()
mmap_seq_read_check()
ptl = pte_lockptr(vmf->pmd)
spin_trylock(ptl)
mmap_seq_read_check()
mmap_write_lock()
do_mmap()
unmap_region()
unmap_vmas()
free_pgtables()
...
free_pte_range
pmd_clear
pte_free_tlb
...
call_rcu(tlb_remove_table_rcu)
rcu_read_unlock()
tlb_remove_table_rcu
spin_unlock(ptl) <-- UAF!
To prevent that free_pte_range needs to be blocked if ptl is locked and
is in use.
[tyler wang: This is a backport from
https://android-review.googlesource.com/c/kernel/common/+/2330194.
We have adapted the corresponding modifications from 5.15 to 5.10,
including the changes made to the function __pte_map_lock in 5.15, which have
been adapted to the functions pte_spinlock and __pte_map_lock_speculative in
5.10. Additionally, following surenb's suggestion, we have folded
https://android-review.googlesource.com/c/kernel/common/+/2368961
in this patch.]
Bug: 278602292
Change-Id: I7b353f0995fc59e92bb2069bcdc7d1ac29b521b9
Signed-off-by: 
Dezhi Huang <huangdezhi@hihonor.com>
Loading
Please sign in to comment