Commit f0f5d073 authored by Andrew Morton's avatar Andrew Morton Committed by David S. Miller

[PATCH] mremap use-after-free bugfix

I have invented a new software development methodology! You send an
email to Hugh saying "I don't have the foggiest idea why this guy's
kernel is oopsing" and next morning, you get a patch! I shall patent
this.

Since 2.5.3, move_vma() has been passing a freed vma into
move_page_tables().  Fix it to move back to the previous vma in the
list if we're about to delete this one.

Thanks to Morten Helgesen for patient reporting, diagnosis and testing.
parent d4979c79
...@@ -194,7 +194,8 @@ static inline unsigned long move_vma(struct vm_area_struct * vma, ...@@ -194,7 +194,8 @@ static inline unsigned long move_vma(struct vm_area_struct * vma,
prev->vm_end = next->vm_end; prev->vm_end = next->vm_end;
__vma_unlink(mm, next, prev); __vma_unlink(mm, next, prev);
spin_unlock(&mm->page_table_lock); spin_unlock(&mm->page_table_lock);
if (vma == next)
vma = prev;
mm->map_count--; mm->map_count--;
kmem_cache_free(vm_area_cachep, next); kmem_cache_free(vm_area_cachep, next);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment