From: Hugh Dickins Date: Sat, 10 Feb 2007 09:43:00 +0000 (-0800) Subject: [PATCH] page_mkwrite caller race fix X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c3704ceb4ad055b489b143f4e37c57d128908012;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git [PATCH] page_mkwrite caller race fix After do_wp_page has tested page_mkwrite, it must release old_page after acquiring page table lock, not before: at some stage that ordering got reversed, leaving a (very unlikely) window in which old_page might be truncated, freed, and reused in the same position. Signed-off-by: Hugh Dickins Acked-by: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/mm/memory.c b/mm/memory.c index ef09f0acb1d..0047d3a4e36 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1531,8 +1531,6 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma, if (vma->vm_ops->page_mkwrite(vma, old_page) < 0) goto unwritable_page; - page_cache_release(old_page); - /* * Since we dropped the lock we need to revalidate * the PTE as someone else may have changed it. If @@ -1541,6 +1539,7 @@ static int do_wp_page(struct mm_struct *mm, struct vm_area_struct *vma, */ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); + page_cache_release(old_page); if (!pte_same(*page_table, orig_pte)) goto unlock; }