[ 3.8.y.z extended stable ] Patch "mm/huge_memory.c: fix potential NULL pointer dereference" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Sep 20 00:36:30 UTC 2013 

This is a note to let you know that I have just added a patch titled

    mm/huge_memory.c: fix potential NULL pointer dereference

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.10.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 1a06722bd947ad81a7d9180a19f9b7bb1fdb48fd Mon Sep 17 00:00:00 2001
From: Libin <huawei.libin at huawei.com>
Date: Wed, 11 Sep 2013 14:20:38 -0700
Subject: mm/huge_memory.c: fix potential NULL pointer dereference

commit a8f531ebc33052642b4bd7b812eedf397108ce64 upstream.

In collapse_huge_page() there is a race window between releasing the
mmap_sem read lock and taking the mmap_sem write lock, so find_vma() may
return NULL.  So check the return value to avoid NULL pointer dereference.

collapse_huge_page
	khugepaged_alloc_page
		up_read(&mm->mmap_sem)
	down_write(&mm->mmap_sem)
	vma = find_vma(mm, address)

Signed-off-by: Libin <huawei.libin at huawei.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov at linux.intel.com>
Reviewed-by: Wanpeng Li <liwanp at linux.vnet.ibm.com>
Reviewed-by: Michal Hocko <mhocko at suse.cz>
Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 mm/huge_memory.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mm/huge_memory.c b/mm/huge_memory.c
index 9459edd..e9308d3 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2327,6 +2327,8 @@ static void collapse_huge_page(struct mm_struct *mm,
 		goto out;

 	vma = find_vma(mm, address);
+	if (!vma)
+		goto out;
 	hstart = (vma->vm_start + ~HPAGE_PMD_MASK) & HPAGE_PMD_MASK;
 	hend = vma->vm_end & HPAGE_PMD_MASK;
 	if (address < hstart || address + HPAGE_PMD_SIZE > hend)
--
1.8.1.2

More information about the kernel-team mailing list