From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Mon, 16 Feb 2004 23:41:17 -0500 (EST) From: Rajesh Venkatasubramanian Subject: [PATCH] mremap NULL pointer dereference fix Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-linux-mm@kvack.org Return-Path: To: akpm@osdl.org Cc: linux-kernel@vger.kernel.org, Linux-MM@kvack.org List-ID: This path fixes a NULL pointer dereference bug in mremap. In move_one_page we need to re-check the src because an allocation for the dst page table can drop page_table_lock, and somebody else can invalidate the src. In my old Quad Pentium II 200MHz 256MB, with 2.6.3-rc3-mm1-preempt, I could hit the NULL pointer dereference bug with the program in the following URL: http://www-personal.engin.umich.edu/~vrajesh/linux/mremap-nullptr/ Full trace of the bug can be found at the above URL. A partial call trace is below. kernel: PREEMPT SMP kernel: EIP is at copy_one_pte+0x12/0xa0 kernel: [] move_one_page+0xa3/0x110 kernel: [] move_page_tables+0x37/0x80 kernel: [] move_vma+0x8a/0x5e0 kernel: [] do_mremap+0x29c/0x3d0 kernel: [] sys_mremap+0x4d/0x6d kernel: [] syscall_call+0x7/0xb Please apply. mm/mremap.c | 26 ++++++++++++++++++++------ 1 files changed, 20 insertions(+), 6 deletions(-) diff -puN mm/mremap.c~nullptr mm/mremap.c --- mmlinux-2.6/mm/mremap.c~nullptr 2004-02-16 17:24:00.000000000 -0500 +++ mmlinux-2.6-jaya/mm/mremap.c 2004-02-16 17:24:00.000000000 -0500 @@ -135,17 +135,31 @@ move_one_page(struct vm_area_struct *vma dst = alloc_one_pte_map(mm, new_addr); if (src == NULL) src = get_one_pte_map_nested(mm, old_addr); + /* + * Since alloc_one_pte_map can drop and re-acquire + * page_table_lock, we should re-check the src entry... + */ + if (src == NULL) { + pte_unmap(dst); + goto flush_out; + } error = copy_one_pte(vma, old_addr, src, dst, &pte_chain); pte_unmap_nested(src); pte_unmap(dst); - } else - /* - * Why do we need this flush ? If there is no pte for - * old_addr, then there must not be a pte for it as well. - */ - flush_tlb_page(vma, old_addr); + goto unlock_out; + } + +flush_out: + /* + * Why do we need this flush ? If there is no pte for + * old_addr, then there must not be a pte for it as well. + */ + flush_tlb_page(vma, old_addr); + +unlock_out: spin_unlock(&mm->page_table_lock); pte_chain_free(pte_chain); + out: return error; } _ -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: aart@kvack.org