2005-05-11 15:30:14

by Kirill Korotaev

[permalink] [raw]
Subject: [PATCH] do_swap_page() can map random data if swap read fails

--- ./mm/memory.c.swaperr 2005-05-10 16:10:40.000000000 +0400
+++ ./mm/memory.c 2005-05-10 18:09:12.000000000 +0400
@@ -1701,12 +1701,13 @@ static int do_swap_page(struct mm_struct
spin_lock(&mm->page_table_lock);
page_table = pte_offset_map(pmd, address);
if (unlikely(!pte_same(*page_table, orig_pte))) {
- pte_unmap(page_table);
- spin_unlock(&mm->page_table_lock);
- unlock_page(page);
- page_cache_release(page);
ret = VM_FAULT_MINOR;
- goto out;
+ goto out_nomap;
+ }
+
+ if (unlikely(!PageUptodate(page))) {
+ ret = VM_FAULT_SIGBUS;
+ goto out_nomap;
}

/* The page isn't present yet, go ahead with the fault. */
@@ -1741,6 +1742,12 @@ static int do_swap_page(struct mm_struct
spin_unlock(&mm->page_table_lock);
out:
return ret;
+out_nomap:
+ pte_unmap(page_table);
+ spin_unlock(&mm->page_table_lock);
+ unlock_page(page);
+ page_cache_release(page);
+ goto out;
}

/*

Attachments:
diff-mainstream-swaperrs-20050429 (907.00 B)

2005-05-11 16:18:31

by Hugh Dickins

[permalink] [raw]
Subject: Re: [PATCH] do_swap_page() can map random data if swap read fails

On Wed, 11 May 2005, Kirill Korotaev wrote:

> against 2.6.12-rc4
>
> There is a bug in do_swap_page(): when swap page happens to be unreadable,
> page filled with random data is mapped into user
> address space.
> The fix is to check for PageUptodate and send SIGBUS in case of error.
>
> Signed-Off-By: Kirill Korotaev <[email protected]>
> Signed-Off-By: Alexey Kuznetsov <[email protected]>

Ah, yes, that surprised me years ago, but I forgot all about it.

Acked-by: Hugh Dickins <[email protected]>