[PATCH] mremap use-after-free bugfix

I have invented a new software development methodology! You send an
email to Hugh saying "I don't have the foggiest idea why this guy's
kernel is oopsing" and next morning, you get a patch! I shall patent
this.

Since 2.5.3, move_vma() has been passing a freed vma into
move_page_tables().  Fix it to move back to the previous vma in the
list if we're about to delete this one.

Thanks to Morten Helgesen for patient reporting, diagnosis and testing.

diff --git a/mm/mremap.c b/mm/mremap.c
index bfb0557b308cc92e5d577f3af75e5a4eb06ba3a9..b0cd6792d77bec8ae5d6d7f80757ff49c7a26513 100644 (file)
--- a/mm/mremap.c
+++ b/mm/mremap.c
@@ -194,7 +194,8 @@ static inline unsigned long move_vma(struct vm_area_struct * vma,
                                prev->vm_end = next->vm_end;
                                __vma_unlink(mm, next, prev);
                                spin_unlock(&mm->page_table_lock);
-
+                               if (vma == next)
+                                       vma = prev;
                                mm->map_count--;
                                kmem_cache_free(vm_area_cachep, next);
                        }