From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 9 Jun 2014 22:11:05 +0000 (-0700)
Subject: 3.4-stable patches
X-Git-Tag: v3.14.7~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=74372071c767fb89ac60f371d49da0a281874725;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	mm-rmap-fix-use-after-free-in-__put_anon_vma.patch
---

diff --git a/queue-3.4/mm-rmap-fix-use-after-free-in-__put_anon_vma.patch b/queue-3.4/mm-rmap-fix-use-after-free-in-__put_anon_vma.patch
new file mode 100644
index 00000000000..f9f20f239fc
--- /dev/null
+++ b/queue-3.4/mm-rmap-fix-use-after-free-in-__put_anon_vma.patch
@@ -0,0 +1,42 @@
+From 624483f3ea82598ab0f62f1bdb9177f531ab1892 Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+Date: Fri, 6 Jun 2014 19:09:30 +0400
+Subject: mm: rmap: fix use-after-free in __put_anon_vma
+
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+
+commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream.
+
+While working address sanitizer for kernel I've discovered
+use-after-free bug in __put_anon_vma.
+
+For the last anon_vma, anon_vma->root freed before child anon_vma.
+Later in anon_vma_free(anon_vma) we are referencing to already freed
+anon_vma->root to check rwsem.
+
+This fixes it by freeing the child anon_vma before freeing
+anon_vma->root.
+
+Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
+Acked-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/rmap.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1721,10 +1721,9 @@ void __put_anon_vma(struct anon_vma *ano
+ {
+ 	struct anon_vma *root = anon_vma->root;
+ 
++	anon_vma_free(anon_vma);
+ 	if (root != anon_vma && atomic_dec_and_test(&root->refcount))
+ 		anon_vma_free(root);
+-
+-	anon_vma_free(anon_vma);
+ }
+ 
+ #ifdef CONFIG_MIGRATION
diff --git a/queue-3.4/series b/queue-3.4/series
index b4adbdcf3c0..4e25d3157fc 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -14,3 +14,4 @@ usb-ftdi_sio-add-novatech-orionlxm-product-id.patch
 usb-serial-option-add-support-for-novatel-e371-pcie-card.patch
 usb-io_ti-fix-firmware-download-on-big-endian-machines-part-2.patch
 usb-avoid-runtime-suspend-loops-for-hcds-that-can-t-handle-suspend-resume.patch
+mm-rmap-fix-use-after-free-in-__put_anon_vma.patch