Merge android13-5.10-2022-09 into android13-gs-pixel-5.10-gs101-tm-qpr1

Merge SHA: dc30d33 FROMLIST: binder: fix UAF of alloc->vma in race with munmap() Bug: 233569354 Bug: 254837884 (ACK) Change-Id: I62cc3c727d97116702a5d8a6c71db125a9145bed Signed-off-by: Robin Peng <[email protected]>
celtare21 · Nov 9, 2022 · 341f279 · 341f279
2 parents beba115 + dc30d33
commit 341f279
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/drivers/android/binder_alloc.c b/drivers/android/binder_alloc.c
@@ -213,7 +213,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
 		mm = alloc->vma_vm_mm;
 
 	if (mm) {
-		mmap_read_lock(mm);
+		mmap_write_lock(mm);
 		vma = alloc->vma;
 	}
 
@@ -271,7 +271,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
 		trace_binder_alloc_page_end(alloc, index);
 	}
 	if (mm) {
-		mmap_read_unlock(mm);
+		mmap_write_unlock(mm);
 		mmput(mm);
 	}
 	return 0;
@@ -304,7 +304,7 @@ static int binder_update_page_range(struct binder_alloc *alloc, int allocate,
 	}
 err_no_vma:
 	if (mm) {
-		mmap_read_unlock(mm);
+		mmap_write_unlock(mm);
 		mmput(mm);
 	}
 	return vma ? -ENOMEM : -ESRCH;