diff options
author | Matthew Wilcox <willy@infradead.org> | 2019-03-06 00:46:02 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-03-06 06:07:17 +0100 |
commit | 2d432cb7091e99881af803cdd67a31969b863005 (patch) | |
tree | 6482724693aae6407eeb30d339aebef534e850bd /mm/memory.c | |
parent | mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! (diff) | |
download | linux-2d432cb7091e99881af803cdd67a31969b863005.tar.xz linux-2d432cb7091e99881af803cdd67a31969b863005.zip |
mm: prevent mapping slab pages to userspace
It's never appropriate to map a page allocated by SLAB into userspace.
A buggy device driver might try this, or an attacker might be able to
find a way to make it happen.
Christoph said:
: Let's just fail the code. Currently this may work with SLUB. But SLAB
: and SLOB overlay fields with mapcount. So you would have a corrupted page
: struct if you mapped a slab page to user space.
Link: http://lkml.kernel.org/r/20190125173827.2658-1-willy@infradead.org
Signed-off-by: Matthew Wilcox <willy@infradead.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Pekka Enberg <penberg@kernel.org>
Cc: Rik van Riel <riel@surriel.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to '')
-rw-r--r-- | mm/memory.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/mm/memory.c b/mm/memory.c index 222da66f16b4..a9897dcd530f 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1452,7 +1452,7 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr, spinlock_t *ptl; retval = -EINVAL; - if (PageAnon(page)) + if (PageAnon(page) || PageSlab(page)) goto out; retval = -ENOMEM; flush_dcache_page(page); |