]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/commit - mm/hmm.c
projects / mirror_ubuntu-hirsute-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e3fe8e5) | patch
mm/hmm: hmm_range_fault() NULL pointer bug
authorRalph Campbell <rcampbell@nvidia.com>
Fri, 23 Aug 2019 22:17:52 +0000 (15:17 -0700)
committerJason Gunthorpe <jgg@mellanox.com>
Tue, 27 Aug 2019 22:27:07 +0000 (19:27 -0300)
commit6c64f2bbe79cf3b770ac60ae79442322bd76d55e
tree79acd2366e34348b704a425f07b34e55ebd1ce40tree
parente3fe8e555dd05cf74168d18555c44320ed50a0e1commit | diff
mm/hmm: hmm_range_fault() NULL pointer bug

Although hmm_range_fault() calls find_vma() to make sure that a vma exists
before calling walk_page_range(), hmm_vma_walk_hole() can still be called
with walk->vma == NULL if the start and end address are not contained
within the vma range.

 hmm_range_fault() /* calls find_vma() but no range check */
  walk_page_range() /* calls find_vma(), sets walk->vma = NULL */
   __walk_page_range()
    walk_pgd_range()
     walk_p4d_range()
      walk_pud_range()
       hmm_vma_walk_hole()
        hmm_vma_walk_hole_()
         hmm_vma_do_fault()
          handle_mm_fault(vma=0)

Link: https://lore.kernel.org/r/20190823221753.2514-2-rcampbell@nvidia.com
Signed-off-by: Ralph Campbell <rcampbell@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
mm/hmm.c diff | blob | blame | history
Ubuntu Hirsute Linux kernel mirror