Re: [PATCH] mremap NULL pointer dereference fix
From: Andrew Morton
Date: Tue Feb 17 2004 - 00:32:21 EST
Rajesh Venkatasubramanian <vrajesh@xxxxxxxxx> wrote:
>
> This path fixes a NULL pointer dereference bug in mremap. In
> move_one_page we need to re-check the src because an allocation
> for the dst page table can drop page_table_lock, and somebody
> else can invalidate the src.
OK.
> In my old Quad Pentium II 200MHz 256MB, with 2.6.3-rc3-mm1-preempt,
> I could hit the NULL pointer dereference bug with the program in the
> following URL:
>
> http://www-personal.engin.umich.edu/~vrajesh/linux/mremap-nullptr/
I cannot make any oops happen with that test app. On a 2-way,
CONFIG_PREEMPT=y.
I think we can simplify things in there a bit. How does this look?
mm/mremap.c | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)
diff -puN mm/mremap.c~mremap-oops-fix mm/mremap.c
--- 25/mm/mremap.c~mremap-oops-fix 2004-02-16 20:53:25.000000000 -0800
+++ 25-akpm/mm/mremap.c 2004-02-16 21:00:05.000000000 -0800
@@ -135,15 +135,17 @@ move_one_page(struct vm_area_struct *vma
dst = alloc_one_pte_map(mm, new_addr);
if (src == NULL)
src = get_one_pte_map_nested(mm, old_addr);
- error = copy_one_pte(vma, old_addr, src, dst, &pte_chain);
- pte_unmap_nested(src);
- pte_unmap(dst);
- } else
/*
- * Why do we need this flush ? If there is no pte for
- * old_addr, then there must not be a pte for it as well.
+ * Since alloc_one_pte_map can drop and re-acquire
+ * page_table_lock, we should re-check the src entry...
*/
- flush_tlb_page(vma, old_addr);
+ if (src) {
+ error = copy_one_pte(vma, old_addr, src,
+ dst, &pte_chain);
+ pte_unmap_nested(src);
+ }
+ pte_unmap(dst);
+ }
spin_unlock(&mm->page_table_lock);
pte_chain_free(pte_chain);
out:
_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/