linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Mackerras <paulus@samba.org>
To: torvalds@transmeta.com
Cc: hch@infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH] fix null dereference in sys_mprotect
Date: Wed, 25 Sep 2002 12:18:21 +1000 (EST)	[thread overview]
Message-ID: <15761.7405.707435.845733@argo.ozlabs.ibm.com> (raw)

Linus,

As it is at the moment, sys_mprotect will dereference a null pointer
if you use it on a region that is contained within the first vma.  I
have a little program that demonstrates this (I'll post it if anyone
is interested).  What happens then is that the process hangs in
do_page_fault at the down_read on the mm->mmap_sem, since sys_mprotect
has done a down_write on mm->mmap_sem.

The problem is that mprotect_fixup isn't updating prev properly.  Thus
we can finish the main loop in sys_mprotect with prev == NULL.  This
has been the case since Christoph's cleanups went in.  Prior to that,
mprotect_fixup always set prev to something non-NULL.  I suspect that
not updating prev could also cause vmas to get dropped completely if
the region being mprotected spans more than one vma.

The patch below fixes the problem by making mprotect_fixup set prev to
a reasonable value in all circumstances.

Paul.

diff -urN linux-2.5/mm/mprotect.c pmac-2.5/mm/mprotect.c
--- linux-2.5/mm/mprotect.c	Wed Sep 18 15:42:48 2002
+++ pmac-2.5/mm/mprotect.c	Wed Sep 25 10:39:49 2002
@@ -193,6 +193,11 @@
 		if (error)
 			goto fail;
 	}
+	/*
+	 * Unless it returns an error, this function always sets *pprev to
+	 * the first vma for which vma->vm_end >= end.
+	 */
+	*pprev = vma;
 
 	if (end != vma->vm_end) {
 		error = split_vma(mm, vma, end, 0);

                 reply	other threads:[~2002-09-25  2:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=15761.7405.707435.845733@argo.ozlabs.ibm.com \
    --to=paulus@samba.org \
    --cc=hch@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@transmeta.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).