mm: check for no mmaps in exit_mmap()

When dup_mmap() ooms we can end up with mm->mmap == NULL. The error path does mmput() and unmap_vmas() gets a NULL vma which it dereferences. In exit_mmap() there is nothing to do at all for this case, we can cancel the callpath right there. [akpm@linux-foundation.org: add sorely-needed comment] Signed-off-by: N Johannes Weiner <hannes@cmpxchg.org> Reported-by: N Akinobu Mita <akinobu.mita@gmail.com> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: Hugh Dickins <hugh@veritas.com> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

mm: check for no mmaps in exit_mmap()
When dup_mmap() ooms we can end up with mm->mmap == NULL. The error path does mmput() and unmap_vmas() gets a NULL vma which it dereferences. In exit_mmap() there is nothing to do at all for this case, we can cancel the callpath right there. [akpm@linux-foundation.org: add sorely-needed comment] Signed-off-by: N Johannes Weiner <hannes@cmpxchg.org> Reported-by: N Akinobu Mita <akinobu.mita@gmail.com> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: Hugh Dickins <hugh@veritas.com> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
dcd4a049 · Johannes Weiner · Linus Torvalds · 084f71ae · dcd4a049
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

mm/mmap.c mm/mmap.c +3 -0

未找到文件。
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2090,6 +2090,9 @@ void exit_mmap(struct mm_struct *mm)
 	arch_exit_mmap(mm);
 	mmu_notifier_release(mm);
+	if (!mm->mmap)	/* Can happen if dup_mmap() received an OOM */
+		return;
 	if (mm->locked_vm) {
 		vma = mm->mmap;
 		while (vma) {