CVE-2022-50240

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> android: binder: stop saving a pointer to the VMA<br /> <br /> Do not record a pointer to a VMA outside of the mmap_lock for later use. <br /> This is unsafe and there are a number of failure paths *after* the<br /> recorded VMA pointer may be freed during setup. There is no callback to<br /> the driver to clear the saved pointer from generic mm code. Furthermore,<br /> the VMA pointer may become stale if any number of VMA operations end up<br /> freeing the VMA so saving it was fragile to being with.<br /> <br /> Instead, change the binder_alloc struct to record the start address of the<br /> VMA and use vma_lookup() to get the vma when needed. Add lockdep<br /> mmap_lock checks on updates to the vma pointer to ensure the lock is held<br /> and depend on that lock for synchronization of readers and writers - which<br /> was already the case anyways, so the smp_wmb()/smp_rmb() was not<br /> necessary.<br /> <br /> [akpm@linux-foundation.org: fix drivers/android/binder_alloc_selftest.c]