[3/3] mm: set vm_next and vm_prev to NULL in vm_area_dup()
diff mbox series

Message ID 1581150928-3214-4-git-send-email-lixinhai.lxh@gmail.com
State New
Headers show
Series
  • mm: Fix misuse of parent anon_vma in dup_mmap path
Related show

Commit Message

Li Xinhai Feb. 8, 2020, 8:35 a.m. UTC
Set ->vm_next and ->vm_prev to NULL to prevent potential misuse from
the new duplicated vma.

Currently, only in fork path there are misuse for handling anon_vma. No
other bugs been revealed with this patch applied.

Signed-off-by: Li Xinhai <lixinhai.lxh@gmail.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
---
 kernel/fork.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch
diff mbox series

diff --git a/kernel/fork.c b/kernel/fork.c
index 1bbd49a..eb3a148 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -361,6 +361,7 @@  struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig)
 	if (new) {
 		*new = *orig;
 		INIT_LIST_HEAD(&new->anon_vma_chain);
+		new->vm_next = new->vm_prev = NULL;
 	}
 	return new;
 }
@@ -561,7 +562,6 @@  static __latent_entropy int dup_mmap(struct mm_struct *mm,
 		} else if (anon_vma_fork(tmp, mpnt))
 			goto fail_nomem_anon_vma_fork;
 		tmp->vm_flags &= ~(VM_LOCKED | VM_LOCKONFAULT);
-		tmp->vm_next = tmp->vm_prev = NULL;
 		file = tmp->vm_file;
 		if (file) {
 			struct inode *inode = file_inode(file);