[PATCH] install_page pte use-after-unmap fix

From: Rajesh Venkatasubramanian <vrajesh@eecs.umich.edu> Don't deref the pte pointer after having kunmapped the memory it points at.

[PATCH] install_page pte use-after-unmap fix
From: Rajesh Venkatasubramanian <vrajesh@eecs.umich.edu> Don't deref the pte pointer after having kunmapped the memory it points at.
00dbb2ea · Andrew Morton · Linus Torvalds · be98a9cd · 00dbb2ea
Commit 00dbb2ea authored Sep 09, 2003 by Andrew Morton Committed by Linus Torvalds Sep 09, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

mm/fremap.c mm/fremap.c +6 -2

No files found.
--- a/mm/fremap.c
+++ b/mm/fremap.c
@@ -61,6 +61,7 @@ int install_page(struct mm_struct *mm, struct vm_area_struct *vma,
 	pte_t *pte;
 	pgd_t *pgd;
 	pmd_t *pmd;
+	pte_t pte_val;
 	struct pte_chain *pte_chain;

 	pte_chain = pte_chain_alloc(GFP_KERNEL);
@@ -83,10 +84,11 @@ int install_page(struct mm_struct *mm, struct vm_area_struct *vma,
 	flush_icache_page(vma, page);
 	set_pte(pte, mk_pte(page, prot));
 	pte_chain = page_add_rmap(page, pte, pte_chain);
+	pte_val = *pte;
 	pte_unmap(pte);
 	if (flush)
 		flush_tlb_page(vma, addr);
-	update_mmu_cache(vma, addr, *pte);
+	update_mmu_cache(vma, addr, pte_val);
 	spin_unlock(&mm->page_table_lock);
 	pte_chain_free(pte_chain);
 	return 0;
@@ -111,6 +113,7 @@ int install_file_pte(struct mm_struct *mm, struct vm_area_struct *vma,
 	pte_t *pte;
 	pgd_t *pgd;
 	pmd_t *pmd;
+	pte_t pte_val;

 	pgd = pgd_offset(mm, addr);
 	spin_lock(&mm->page_table_lock);
@@ -126,10 +129,11 @@ int install_file_pte(struct mm_struct *mm, struct vm_area_struct *vma,
 	flush = zap_pte(mm, vma, addr, pte);

 	set_pte(pte, pgoff_to_pte(pgoff));
+	pte_val = *pte;
 	pte_unmap(pte);
 	if (flush)
 		flush_tlb_page(vma, addr);
-	update_mmu_cache(vma, addr, *pte);
+	update_mmu_cache(vma, addr, pte_val);
 	spin_unlock(&mm->page_table_lock);
 	return 0;