From patchwork Mon Mar 23 18:50:45 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: john cooper <john.cooper@third-harmonic.com>
X-Patchwork-Id: 13816
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n2NJWwJS029315
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 23 Mar 2009 19:32:58 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755078AbZCWTc5 (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Mon, 23 Mar 2009 15:32:57 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754071AbZCWTc5
	(ORCPT <rfc822;kvm-outgoing>); Mon, 23 Mar 2009 15:32:57 -0400
Received: from dpc691978010.direcpc.com ([69.19.78.10]:36306 "EHLO
	anvil.third-harmonic.com" rhost-flags-OK-OK-OK-FAIL)
	by vger.kernel.org with ESMTP id S1754064AbZCWTc5 (ORCPT
	<rfc822;kvm@vger.kernel.org>); Mon, 23 Mar 2009 15:32:57 -0400
X-Greylist: delayed 1160 seconds by postgrey-1.27 at vger.kernel.org;
	Mon, 23 Mar 2009 15:32:55 EDT
Received: from anvil.naka.net (localhost.localdomain [127.0.0.1])
	by anvil.third-harmonic.com (8.14.1/8.14.1) with ESMTP id
	n2NIojR2030189; Mon, 23 Mar 2009 14:50:46 -0400
Message-ID: <49C7DA05.8070206@third-harmonic.com>
Date: Mon, 23 Mar 2009 14:50:45 -0400
From: john cooper <john.cooper@third-harmonic.com>
User-Agent: Thunderbird 2.0.0.9 (X11/20071115)
MIME-Version: 1.0
To: aarcange@redhat.com
CC: Avi Kivity <avi@redhat.com>, kvm@vger.kernel.org, john.cooper@redhat.com
Subject: [PATCH] mm/memory.c:unmap_vmas(): fix NULL * deref
References: <200903180902.29139.andreas.tanz@kvt.de>
	<200903231439.34107.andreas.tanz@kvt.de>
	<49C797F6.8070308@redhat.com>
	<200903231833.46550.andreas.tanz@kvt.de>
In-Reply-To: <200903231833.46550.andreas.tanz@kvt.de>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

This cropped up in stress testing of a backport
of the mmu notifier mechanism, however it still
exists in 2.6.28.8 as well.  Patch attached.

Signed-off-by: john.cooper@redhat.com

 mm/memory.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
=================================================================
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -899,9 +899,10 @@ unsigned long unmap_vmas(struct mmu_gath
 	unsigned long start = start_addr;
 	spinlock_t *i_mmap_lock = details? details->i_mmap_lock: NULL;
 	int fullmm = (*tlbp)->fullmm;
-	struct mm_struct *mm = vma->vm_mm;
+	struct mm_struct *mm = vma ? vma->vm_mm : NULL;
 
-	mmu_notifier_invalidate_range_start(mm, start_addr, end_addr);
+	if (mm)
+		mmu_notifier_invalidate_range_start(mm, start_addr, end_addr);
 	for ( ; vma && vma->vm_start < end_addr; vma = vma->vm_next) {
 		unsigned long end;
 
@@ -966,7 +967,8 @@ unsigned long unmap_vmas(struct mmu_gath
 		}
 	}
 out:
-	mmu_notifier_invalidate_range_end(mm, start_addr, end_addr);
+	if (mm)
+		mmu_notifier_invalidate_range_end(mm, start_addr, end_addr);
 	return start;	/* which is now the end (or restart) address */
 }