[patch 24/43] Fix OOPS in mmap_region() when merging adjacentVM_LOCKED file segments
From: Greg KH
Date: Fri Jan 30 2009 - 22:07:52 EST
2.6.28-stable review patch. If anyone has any objections, please let us know.
------------------
From: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
This patch differs from the upstream commit
de33c8db5910cda599899dd431cc30d7c1018cbf written by Linus, as it aims to
only prevent the oops from happening, not attempt to change anything
else.
The problem was introduced by commit
ba470de43188cdbff795b5da43a1474523c6c2fb
which added new references to *vma after we've potentially freed it.
From: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Reported-by: Maksim Yevmenkin <maksim.yevmenkin@xxxxxxxxx>
Tested-by: Maksim Yevmenkin <maksim.yevmenkin@xxxxxxxxx>
Cc: Lee Schermerhorn <Lee.Schermerhorn@xxxxxx>
Cc: Nick Piggin <npiggin@xxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Rik van Riel <riel@xxxxxxxxxx>
Cc: Hugh Dickins <hugh@xxxxxxxxxxx>
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
mm/mmap.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1095,6 +1095,7 @@ unsigned long mmap_region(struct file *f
{
struct mm_struct *mm = current->mm;
struct vm_area_struct *vma, *prev;
+ struct vm_area_struct *merged_vma;
int correct_wcount = 0;
int error;
struct rb_node **rb_link, *rb_parent;
@@ -1207,13 +1208,17 @@ munmap_back:
if (vma_wants_writenotify(vma))
vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
- if (file && vma_merge(mm, prev, addr, vma->vm_end,
- vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
+ merged_vma = NULL;
+ if (file)
+ merged_vma = vma_merge(mm, prev, addr, vma->vm_end,
+ vma->vm_flags, NULL, file, pgoff, vma_policy(vma));
+ if (merged_vma) {
mpol_put(vma_policy(vma));
kmem_cache_free(vm_area_cachep, vma);
fput(file);
if (vm_flags & VM_EXECUTABLE)
removed_exe_file_vma(mm);
+ vma = merged_vma;
} else {
vma_link(mm, vma, prev, rb_link, rb_parent);
file = vma->vm_file;
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/