The patch titled
ksm: fix rmap_item use after free
has been removed from the -mm tree. Its filename was
ksm-add-ksm-kernel-shared-memory-driver-ksm-fix-rmap_item-use-after-free.patch
This patch was dropped because an updated version will be merged
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: ksm: fix rmap_item use after free
From: Andrea Arcangeli <aarcange@xxxxxxxxxx>
This avoid crashing with slab debugging enabled by removing a window for
memory corruption if freed slab entries are reused before we read the next
pointer. Against mmotm.
Signed-off-by: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Cc: Izik Eidus <ieidus@xxxxxxxxxx>
Cc: Chris Wright <chrisw@xxxxxxxxxx>
Cc: Avi Kivity <avi@xxxxxxxxxx>
Cc: Hugh Dickins <hugh.dickins@xxxxxxxxxxxxx>
Cc: Nick Piggin <nickpiggin@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
mm/ksm.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff -puN mm/ksm.c~ksm-add-ksm-kernel-shared-memory-driver-ksm-fix-rmap_item-use-after-free mm/ksm.c
--- a/mm/ksm.c~ksm-add-ksm-kernel-shared-memory-driver-ksm-fix-rmap_item-use-after-free
+++ a/mm/ksm.c
@@ -892,7 +892,7 @@ static struct rmap_item *stable_tree_sea
{
struct rb_node *node = root_stable_tree.rb_node;
struct tree_item *tree_item;
- struct rmap_item *found_rmap_item;
+ struct rmap_item *found_rmap_item, *next_rmap_item;
while (node) {
int ret;
@@ -907,9 +907,11 @@ static struct rmap_item *stable_tree_sea
found_rmap_item->address == rmap_item->address)) {
if (!is_zapped_item(found_rmap_item, page2))
break;
+ next_rmap_item = found_rmap_item->next;
remove_rmap_item_from_tree(found_rmap_item);
- }
- found_rmap_item = found_rmap_item->next;
+ found_rmap_item = next_rmap_item;
+ } else
+ found_rmap_item = found_rmap_item->next;
}
if (!found_rmap_item)
goto out_didnt_find;
@@ -959,7 +961,7 @@ static int stable_tree_insert(struct pag
while (*new) {
int ret;
- struct rmap_item *insert_rmap_item;
+ struct rmap_item *insert_rmap_item, *next_rmap_item;
tree_item = rb_entry(*new, struct tree_item, node);
BUG_ON(!tree_item);
@@ -973,9 +975,11 @@ static int stable_tree_insert(struct pag
insert_rmap_item->address == rmap_item->address)) {
if (!is_zapped_item(insert_rmap_item, page2))
break;
+ next_rmap_item = insert_rmap_item->next;
remove_rmap_item_from_tree(insert_rmap_item);
- }
- insert_rmap_item = insert_rmap_item->next;
+ insert_rmap_item = next_rmap_item;
+ } else
+ insert_rmap_item = insert_rmap_item->next;
}
if (!insert_rmap_item)
return 1;
_
Patches currently in -mm which might be from aarcange@xxxxxxxxxx are
linux-next.patch
ksm-add-ksm-kernel-shared-memory-driver-ksm-fix-rmap_item-use-after-free.patch
ksm-add-replace_page-change-the-page-pte-is-pointing-to-fix-losing-visibility-of-part-of-rmap_item-next-list.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
