From: Hugh Dickins Andrea Arcangeli's fix to an ironic weakness with get_user_pages. try_to_unmap_one must check page_count against page->mapcount before unmapping a swapcache page: because the raised pagecount by which get_user_pages ensures the page cannot be freed, will cause any write fault to see that page as not exclusively owned, and therefore a copy page will be substituted for it - the reverse of what's intended. rmap.c was entirely free of such page_count heuristics before, I tried hard to avoid putting this in. But Andrea's fix rarely gives a false positive; and although it might be nicer to change exclusive_swap_page etc. to rely on page->mapcount instead, it seems likely that we'll want to get rid of page->mapcount later, so better not to entrench its use. Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton --- 25-akpm/mm/rmap.c | 17 +++++++++++++++++ 1 files changed, 17 insertions(+) diff -puN mm/rmap.c~mm-get_user_pages-vs-try_to_unmap mm/rmap.c --- 25/mm/rmap.c~mm-get_user_pages-vs-try_to_unmap Wed Jun 2 15:12:27 2004 +++ 25-akpm/mm/rmap.c Wed Jun 2 15:12:27 2004 @@ -485,6 +485,23 @@ static int try_to_unmap_one(struct page goto out_unmap; } + /* + * Don't pull an anonymous page out from under get_user_pages. + * GUP carefully breaks COW and raises page count (while holding + * page_table_lock, as we have here) to make sure that the page + * cannot be freed. If we unmap that page here, a user write + * access to the virtual address will bring back the page, but + * its raised count will (ironically) be taken to mean it's not + * an exclusive swap page, do_wp_page will replace it by a copy + * page, and the user never get to see the data GUP was holding + * the original page for. + */ + if (PageSwapCache(page) && + page_count(page) != page->mapcount + 2) { + ret = SWAP_FAIL; + goto out_unmap; + } + /* Nuke the page table entry. */ flush_cache_page(vma, address); pteval = ptep_clear_flush(vma, address, pte); _