Commit 7a6b4e0d authored by Andrew Morton's avatar Andrew Morton Committed by James Bottomley

[PATCH] Fix vm_area_struct slab corruption

Patch from Hugh Dickins <hugh@veritas.com>

Hugh's patch fixes vm_area_struct slab corruption due to mremap's move_vma
mistaking how do_munmap splits vmas in one case.

Neither of us are very happy with it - it is fragile, and obscure.  Hugh will
revisit this later, but for now it should fix up the potential memory
corruption.
parent 83bfc5dd
...@@ -1258,20 +1258,24 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len) ...@@ -1258,20 +1258,24 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
/* /*
* If we need to split any vma, do it now to save pain later. * If we need to split any vma, do it now to save pain later.
*
* Note: mremap's move_vma VM_ACCOUNT handling assumes a partially
* unmapped vm_area_struct will remain in use: so lower split_vma
* places tmp vma above, and higher split_vma places tmp vma below.
*/ */
if (start > mpnt->vm_start) { if (start > mpnt->vm_start) {
if (split_vma(mm, mpnt, start, 0)) if (split_vma(mm, mpnt, start, 0))
return -ENOMEM; return -ENOMEM;
prev = mpnt; prev = mpnt;
mpnt = mpnt->vm_next;
} }
/* Does it split the last one? */ /* Does it split the last one? */
last = find_vma(mm, end); last = find_vma(mm, end);
if (last && end > last->vm_start) { if (last && end > last->vm_start) {
if (split_vma(mm, last, end, 0)) if (split_vma(mm, last, end, 1))
return -ENOMEM; return -ENOMEM;
} }
mpnt = prev? prev->vm_next: mm->mmap;
/* /*
* Remove the vma's, and unmap the actual pages * Remove the vma's, and unmap the actual pages
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment