From mboxrd@z Thu Jan  1 00:00:00 1970
From: john cooper <john.cooper@third-harmonic.com>
Subject: [PATCH] mm/memory.c:unmap_vmas(): fix NULL * deref
Date: Mon, 23 Mar 2009 14:50:45 -0400
Message-ID: <49C7DA05.8070206@third-harmonic.com>
References: <200903180902.29139.andreas.tanz@kvt.de> <200903231439.34107.andreas.tanz@kvt.de> <49C797F6.8070308@redhat.com> <200903231833.46550.andreas.tanz@kvt.de>
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="------------010308000002070000040300"
Cc: Avi Kivity <avi@redhat.com>, kvm@vger.kernel.org,
	john.cooper@redhat.com
To: aarcange@redhat.com
Return-path: <kvm-owner@vger.kernel.org>
Received: from dpc691978010.direcpc.com ([69.19.78.10]:36306 "EHLO
	anvil.third-harmonic.com" rhost-flags-OK-OK-OK-FAIL)
	by vger.kernel.org with ESMTP id S1754064AbZCWTc5 (ORCPT
	<rfc822;kvm@vger.kernel.org>); Mon, 23 Mar 2009 15:32:57 -0400
In-Reply-To: <200903231833.46550.andreas.tanz@kvt.de>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

This is a multi-part message in MIME format.
--------------010308000002070000040300
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

This cropped up in stress testing of a backport
of the mmu notifier mechanism, however it still
exists in 2.6.28.8 as well.  Patch attached.

Signed-off-by: john.cooper@redhat.com

-- 
john.cooper@third-harmonic.com

--------------010308000002070000040300
Content-Type: text/x-patch;
 name="mmu_notifier_unmap_vmas.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="mmu_notifier_unmap_vmas.patch"

 mm/memory.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
=================================================================
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -899,9 +899,10 @@ unsigned long unmap_vmas(struct mmu_gath
 	unsigned long start = start_addr;
 	spinlock_t *i_mmap_lock = details? details->i_mmap_lock: NULL;
 	int fullmm = (*tlbp)->fullmm;
-	struct mm_struct *mm = vma->vm_mm;
+	struct mm_struct *mm = vma ? vma->vm_mm : NULL;
 
-	mmu_notifier_invalidate_range_start(mm, start_addr, end_addr);
+	if (mm)
+		mmu_notifier_invalidate_range_start(mm, start_addr, end_addr);
 	for ( ; vma && vma->vm_start < end_addr; vma = vma->vm_next) {
 		unsigned long end;
 
@@ -966,7 +967,8 @@ unsigned long unmap_vmas(struct mmu_gath
 		}
 	}
 out:
-	mmu_notifier_invalidate_range_end(mm, start_addr, end_addr);
+	if (mm)
+		mmu_notifier_invalidate_range_end(mm, start_addr, end_addr);
 	return start;	/* which is now the end (or restart) address */
 }
 

--------------010308000002070000040300--