• Michel Lespinasse's avatar
    mm: add anon_vma_lock to validate_mm() · 63c3b902
    Michel Lespinasse authored
    Iterating over the vma->anon_vma_chain without anon_vma_lock may cause
    NULL ptr deref in anon_vma_interval_tree_verify(), because the node in the
    chain might have been removed.
    
      BUG: unable to handle kernel paging request at fffffffffffffff0
      IP: [<ffffffff8122c29c>] anon_vma_interval_tree_verify+0xc/0xa0
      PGD 4e28067 PUD 4e29067 PMD 0
      Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      CPU 0
      Pid: 9050, comm: trinity-child64 Tainted: G        W    3.7.0-rc2-next-20121025-sasha-00001-g673f98e-dirty #77
      RIP: 0010: anon_vma_interval_tree_verify+0xc/0xa0
      Process trinity-child64 (pid: 9050, threadinfo ffff880045f80000, task ffff880048eb0000)
      Call Trace:
        validate_mm+0x58/0x1e0
        vma_adjust+0x635/0x6b0
        __split_vma.isra.22+0x161/0x220
        split_vma+0x24/0x30
        sys_madvise+0x5da/0x7b0
        tracesys+0xe1/0xe6
      RIP  anon_vma_interval_tree_verify+0xc/0xa0
      CR2: fffffffffffffff0
    
    Figured out by Bob Liu.
    Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
    Cc: Bob Liu <lliubbo@gmail.com>
    Signed-off-by: default avatarMichel Lespinasse <walken@google.com>
    Reviewed-by: default avatarRik van Riel <riel@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    63c3b902
mmap.c 71.3 KB