[PATCH] ksm: fix losing visibility of part of rmap_item->next list

From: Andrea Arcangeli
Date: Wed Jun 03 2009 - 11:07:53 EST

Next message: Linus Torvalds: "Re: Security fix for remapping of page 0 (was [PATCH] ChangeZERO_SIZE_PTR to point at unmapped space)"
Previous message: Heinz Mauelshagen: "Re: [dm-devel] Re: ANNOUNCE: mdadm 3.0 - A tool for managing SoftRAID under Linux"
In reply to: Andrea Arcangeli: "[PATCH] ksm: fix rmap_item use after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrea Arcangeli <aarcange@xxxxxxxxxx>

The tree_item->rmap_item is the head of the list and as such it must
not be overwritten except in the case that the element we removed
(rmap_item) was the previous head of the list, in which case it would
also have rmap_item->prev set to null.

Signed-off-by: Andrea Arcangeli <aarcange@xxxxxxxxxx>
---

diff --git a/mm/ksm.c b/mm/ksm.c
index 74d921b..6d8dfee 100644
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -397,10 +397,10 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item)
free_tree_item(tree_item);
nnodes_stable_tree--;
} else if (!rmap_item->prev) {
+ BUG_ON(tree_item->rmap_item != rmap_item);
tree_item->rmap_item = rmap_item->next;
- } else {
- tree_item->rmap_item = rmap_item->prev;
- }
+ } else
+ BUG_ON(tree_item->rmap_item == rmap_item);
} else {
/*
* We dont rb_erase(&tree_item->node) here, beacuse
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: Security fix for remapping of page 0 (was [PATCH] ChangeZERO_SIZE_PTR to point at unmapped space)"
Previous message: Heinz Mauelshagen: "Re: [dm-devel] Re: ANNOUNCE: mdadm 3.0 - A tool for managing SoftRAID under Linux"
In reply to: Andrea Arcangeli: "[PATCH] ksm: fix rmap_item use after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]