提交 c7546f8f 编写于 作者: D David Gibson 提交者: Linus Torvalds

[PATCH] Fix hugepage crash on failing mmap()

This patch fixes a crash in the hugepage code.  unmap_hugepage_area() was
assuming that (due to prefault) PTEs must exist for all the area in
question.  However, this may not be the case, if mmap() encounters an error
before the prefault and calls unmap_region() to clean up any partial
mapping.

Depending on the hugepage configuration, this crash can be triggered by an
unpriveleged user.
Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
Cc: William Lee Irwin III <wli@holomorphy.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
上级 e6cb9941
...@@ -301,6 +301,7 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start, ...@@ -301,6 +301,7 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
{ {
struct mm_struct *mm = vma->vm_mm; struct mm_struct *mm = vma->vm_mm;
unsigned long address; unsigned long address;
pte_t *ptep;
pte_t pte; pte_t pte;
struct page *page; struct page *page;
...@@ -309,9 +310,17 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start, ...@@ -309,9 +310,17 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
BUG_ON(end & ~HPAGE_MASK); BUG_ON(end & ~HPAGE_MASK);
for (address = start; address < end; address += HPAGE_SIZE) { for (address = start; address < end; address += HPAGE_SIZE) {
pte = huge_ptep_get_and_clear(mm, address, huge_pte_offset(mm, address)); ptep = huge_pte_offset(mm, address);
if (! ptep)
/* This can happen on truncate, or if an
* mmap() is aborted due to an error before
* the prefault */
continue;
pte = huge_ptep_get_and_clear(mm, address, ptep);
if (pte_none(pte)) if (pte_none(pte))
continue; continue;
page = pte_page(pte); page = pte_page(pte);
put_page(page); put_page(page);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册