[PATCH] page_mkwrite caller race fix After do_wp_page has tested page_mkwrite, it must release old_page after acquiring page table lock, not before: at some stage that ordering got reversed, leaving a (very unlikely) window in which old_page might be truncated, freed, and reused in the same position. Signed-off-by: Hugh Dickins <hugh@veritas.com> Acked-by: Nick Piggin <nickpiggin@yahoo.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit: c3704ceb4ad055b489b143f4e37c57d128908012 [log] [tgz]
author: Hugh Dickins <hugh@veritas.com> Sat Feb 10 01:43:00 2007 -0800
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> Sun Feb 11 10:51:17 2007 -0800
tree: 730892c9d4d9dbab03c77597e822a7cb79c9cd96
parent: f05b6284ee5d3be51ebe22284fc4b25fc586f380 [diff] [blame]
diff --git a/mm/memory.c b/mm/memory.c
index ef09f0a..0047d3a 100644
--- a/mm/memory.c
+++ b/mm/memory.c

@@ -1531,8 +1531,6 @@
 			if (vma->vm_ops->page_mkwrite(vma, old_page) < 0)
 				goto unwritable_page;
 
-			page_cache_release(old_page);
-
 			/*
 			 * Since we dropped the lock we need to revalidate
 			 * the PTE as someone else may have changed it.  If
@@ -1541,6 +1539,7 @@
 			 */
 			page_table = pte_offset_map_lock(mm, pmd, address,
 							 &ptl);
+			page_cache_release(old_page);
 			if (!pte_same(*page_table, orig_pte))
 				goto unlock;
 		}
commit	c3704ceb4ad055b489b143f4e37c57d128908012	[log] [tgz]
author	Hugh Dickins <hugh@veritas.com>	Sat Feb 10 01:43:00 2007 -0800
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	Sun Feb 11 10:51:17 2007 -0800
tree	730892c9d4d9dbab03c77597e822a7cb79c9cd96
parent	f05b6284ee5d3be51ebe22284fc4b25fc586f380 [diff] [blame]