Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 91212fa8 authored by Vinayak Menon's avatar Vinayak Menon Committed by David Keitel
Browse files

mm: zcache: fix use after free in zcache_store_page 



There is a chance of zbud handle being used after a free.
Unable to handle kernel paging request at virtual address ffffffc05be72040
PC is at zcache_store_page+0x59c/0x618
LR is at zcache_store_page+0x59c/0x618
[<ffffffc00019c99c>] zcache_store_page+0x59c/0x618
[<ffffffc0001a70c4>] __cleancache_put_page+0x94/0xcc
[<ffffffc00015da4c>] __delete_from_page_cache+0xc0/0x2cc
[<ffffffc00016d230>] __remove_mapping+0xe4/0x128
[<ffffffc00016e750>] shrink_page_list+0x634/0x95c
[<ffffffc00016f32c>] shrink_inactive_list+0x41c/0x67c
[<ffffffc00016fc14>] shrink_lruvec+0x364/0x510
[<ffffffc00016fe10>] shrink_zone+0x50/0x12c
[<ffffffc000170278>] try_to_free_pages+0x38c/0x56c
[<ffffffc000164e4c>] __alloc_pages_nodemask+0x5e0/0x994
[<ffffffc000165214>] __get_free_pages+0x14/0x60

CRs-Fixed: 968859
Change-Id: I24f6cf8ccbac956d4c3114e70a9f94f5e3bfa1c8
Signed-off-by: default avatarVinayak Menon <vinmenon@codeaurora.org>
parent f4066d1c

mm/zcache.c

+1 −0
Original line number Diff line number Diff line
@@ -687,6 +687,7 @@ zero: 
		zcache_store_failed++;

		if (!zero)

			zbud_free(zpool->pool, zaddr);

		return;

	}



	/* update stats */