aboutsummaryrefslogtreecommitdiffstats
path: root/mm/memory.c
diff options
context:
space:
mode:
authorHugh Dickins <hugh@veritas.com>2007-02-10 04:43:00 -0500
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-02-11 13:51:17 -0500
commitc3704ceb4ad055b489b143f4e37c57d128908012 (patch)
tree730892c9d4d9dbab03c77597e822a7cb79c9cd96 /mm/memory.c
parentf05b6284ee5d3be51ebe22284fc4b25fc586f380 (diff)
[PATCH] page_mkwrite caller race fix
After do_wp_page has tested page_mkwrite, it must release old_page after acquiring page table lock, not before: at some stage that ordering got reversed, leaving a (very unlikely) window in which old_page might be truncated, freed, and reused in the same position. Signed-off-by: Hugh Dickins <hugh@veritas.com> Acked-by: Nick Piggin <nickpiggin@yahoo.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/memory.c')
-rw-r--r--mm/memory.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/mm/memory.c b/mm/memory.c
index ef09f0acb1d8..0047d3a4e364 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1531,8 +1531,6 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma,
1531 if (vma->vm_ops->page_mkwrite(vma, old_page) < 0) 1531 if (vma->vm_ops->page_mkwrite(vma, old_page) < 0)
1532 goto unwritable_page; 1532 goto unwritable_page;
1533 1533
1534 page_cache_release(old_page);
1535
1536 /* 1534 /*
1537 * Since we dropped the lock we need to revalidate 1535 * Since we dropped the lock we need to revalidate
1538 * the PTE as someone else may have changed it. If 1536 * the PTE as someone else may have changed it. If
@@ -1541,6 +1539,7 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma,
1541 */ 1539 */
1542 page_table = pte_offset_map_lock(mm, pmd, address, 1540 page_table = pte_offset_map_lock(mm, pmd, address,
1543 &ptl); 1541 &ptl);
1542 page_cache_release(old_page);
1544 if (!pte_same(*page_table, orig_pte)) 1543 if (!pte_same(*page_table, orig_pte))
1545 goto unlock; 1544 goto unlock;
1546 } 1545 }