diff options
author | Hugh Dickins <hugh@veritas.com> | 2007-02-10 04:43:00 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-02-11 13:51:17 -0500 |
commit | c3704ceb4ad055b489b143f4e37c57d128908012 (patch) | |
tree | 730892c9d4d9dbab03c77597e822a7cb79c9cd96 /mm | |
parent | f05b6284ee5d3be51ebe22284fc4b25fc586f380 (diff) |
[PATCH] page_mkwrite caller race fix
After do_wp_page has tested page_mkwrite, it must release old_page after
acquiring page table lock, not before: at some stage that ordering got
reversed, leaving a (very unlikely) window in which old_page might be
truncated, freed, and reused in the same position.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Acked-by: Nick Piggin <nickpiggin@yahoo.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
-rw-r--r-- | mm/memory.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/mm/memory.c b/mm/memory.c index ef09f0acb1d..0047d3a4e36 100644 --- a/mm/memory.c +++ b/mm/memory.c | |||
@@ -1531,8 +1531,6 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma, | |||
1531 | if (vma->vm_ops->page_mkwrite(vma, old_page) < 0) | 1531 | if (vma->vm_ops->page_mkwrite(vma, old_page) < 0) |
1532 | goto unwritable_page; | 1532 | goto unwritable_page; |
1533 | 1533 | ||
1534 | page_cache_release(old_page); | ||
1535 | |||
1536 | /* | 1534 | /* |
1537 | * Since we dropped the lock we need to revalidate | 1535 | * Since we dropped the lock we need to revalidate |
1538 | * the PTE as someone else may have changed it. If | 1536 | * the PTE as someone else may have changed it. If |
@@ -1541,6 +1539,7 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma, | |||
1541 | */ | 1539 | */ |
1542 | page_table = pte_offset_map_lock(mm, pmd, address, | 1540 | page_table = pte_offset_map_lock(mm, pmd, address, |
1543 | &ptl); | 1541 | &ptl); |
1542 | page_cache_release(old_page); | ||
1544 | if (!pte_same(*page_table, orig_pte)) | 1543 | if (!pte_same(*page_table, orig_pte)) |
1545 | goto unlock; | 1544 | goto unlock; |
1546 | } | 1545 | } |