From b81074800b98ac50b64d4c8d34e8abf0fda5e3d1 Mon Sep 17 00:00:00 2001 From: Kirill Korotaev Date: Mon, 16 May 2005 21:53:50 -0700 Subject: [PATCH] [PATCH] do_swap_page() can map random data if swap read fails There is a bug in do_swap_page(): when swap page happens to be unreadable, page filled with random data is mapped into user address space. The fix is to check for PageUptodate and send SIGBUS in case of error. Signed-Off-By: Kirill Korotaev Signed-Off-By: Alexey Kuznetsov Acked-by: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- mm/memory.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 6bad4c4..d209f74 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1701,12 +1701,13 @@ static int do_swap_page(struct mm_struct * mm, spin_lock(&mm->page_table_lock); page_table = pte_offset_map(pmd, address); if (unlikely(!pte_same(*page_table, orig_pte))) { - pte_unmap(page_table); - spin_unlock(&mm->page_table_lock); - unlock_page(page); - page_cache_release(page); ret = VM_FAULT_MINOR; - goto out; + goto out_nomap; + } + + if (unlikely(!PageUptodate(page))) { + ret = VM_FAULT_SIGBUS; + goto out_nomap; } /* The page isn't present yet, go ahead with the fault. */ @@ -1741,6 +1742,12 @@ static int do_swap_page(struct mm_struct * mm, spin_unlock(&mm->page_table_lock); out: return ret; +out_nomap: + pte_unmap(page_table); + spin_unlock(&mm->page_table_lock); + unlock_page(page); + page_cache_release(page); + goto out; } /* -- 2.7.4