[3.13.y.z extended stable] Patch "mm: rmap: fix use-after-free in __put_anon_vma" has been added to staging queue

[Kamal Mostafa]

This is a note to let you know that I have just added a patch titled

    mm: rmap: fix use-after-free in __put_anon_vma

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.4.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 55cf8656e0c33b3b264581fd30162cbb45a7b3af Mon Sep 17 00:00:00 2001
From: Andrey Ryabinin <a.ryabinin at samsung.com>
Date: Fri, 6 Jun 2014 19:09:30 +0400
Subject: mm: rmap: fix use-after-free in __put_anon_vma

commit 624483f3ea82598ab0f62f1bdb9177f531ab1892 upstream.

While working address sanitizer for kernel I've discovered
use-after-free bug in __put_anon_vma.

For the last anon_vma, anon_vma->root freed before child anon_vma.
Later in anon_vma_free(anon_vma) we are referencing to already freed
anon_vma->root to check rwsem.

This fixes it by freeing the child anon_vma before freeing
anon_vma->root.

Signed-off-by: Andrey Ryabinin <a.ryabinin at samsung.com>
Acked-by: Peter Zijlstra <peterz at infradead.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 mm/rmap.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mm/rmap.c b/mm/rmap.c
index b99c742..22478fb 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1678,10 +1678,9 @@ void __put_anon_vma(struct anon_vma *anon_vma)
 {
 	struct anon_vma *root = anon_vma->root;

+	anon_vma_free(anon_vma);
 	if (root != anon_vma && atomic_dec_and_test(&root->refcount))
 		anon_vma_free(root);
-
-	anon_vma_free(anon_vma);
 }

 #ifdef CONFIG_MIGRATION
--
1.9.1