mm: fix page reference leak in soft_offline_page()

mainline inclusion from mainline-5.11-rc5 commit dad4e5b3 category: bugfix bugzilla: 107811 https://gitee.com/openeuler/kernel/issues/I4CZ5W CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dad4e5b390866ca902653df0daa864ae4b8d4147 --------------------------- The conversion to move pfn_to_online_page() internal to soft_offline_page() missed that the get_user_pages() reference taken by the madvise() path needs to be dropped when pfn_to_online_page() fails. Note the direct sysfs-path to soft_offline_page() does not perform a get_user_pages() lookup. When soft_offline_page() is handed a pfn_valid() && !pfn_to_online_page() pfn the kernel hangs at dax-device shutdown due to a leaked reference. Link: https://lkml.kernel.org/r/161058501210.1840162.8108917599181157327.stgit@dwillia2-desk3.amr.corp.intel.com Fixes: feec24a6 ("mm, soft-offline: convert parameter to pfn") Signed-off-by: N Dan Williams <dan.j.williams@intel.com> Reviewed-by: N David Hildenbrand <david@redhat.com> Reviewed-by: N Oscar Salvador <osalvador@suse.de> Reviewed-by: N Naoya Horiguchi <naoya.horiguchi@nec.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Qian Cai <cai@lca.pw> Cc: <stable@vger.kernel.org> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Nanyong Sun <sunnanyong@huawei.com> Reviewed-by: N Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

mm: fix page reference leak in soft_offline_page()
mainline inclusion from mainline-5.11-rc5 commit dad4e5b3 category: bugfix bugzilla: 107811 https://gitee.com/openeuler/kernel/issues/I4CZ5W CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dad4e5b390866ca902653df0daa864ae4b8d4147 --------------------------- The conversion to move pfn_to_online_page() internal to soft_offline_page() missed that the get_user_pages() reference taken by the madvise() path needs to be dropped when pfn_to_online_page() fails. Note the direct sysfs-path to soft_offline_page() does not perform a get_user_pages() lookup. When soft_offline_page() is handed a pfn_valid() && !pfn_to_online_page() pfn the kernel hangs at dax-device shutdown due to a leaked reference. Link: https://lkml.kernel.org/r/161058501210.1840162.8108917599181157327.stgit@dwillia2-desk3.amr.corp.intel.com Fixes: feec24a6 ("mm, soft-offline: convert parameter to pfn") Signed-off-by: N Dan Williams <dan.j.williams@intel.com> Reviewed-by: N David Hildenbrand <david@redhat.com> Reviewed-by: N Oscar Salvador <osalvador@suse.de> Reviewed-by: N Naoya Horiguchi <naoya.horiguchi@nec.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Qian Cai <cai@lca.pw> Cc: <stable@vger.kernel.org> Signed-off-by: N Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: N Nanyong Sun <sunnanyong@huawei.com> Reviewed-by: N Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
50b25cec · Dan Williams · Zheng Zengkai · ecb147c3 · 50b25cec
隐藏空白更改
内联并排

Showing with 16 addition and 4 deletion

mm/memory-failure.c mm/memory-failure.c +16 -4

未找到文件。
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1886,6 +1886,12 @@ static int soft_offline_free_page(struct page *page)
 	return rc;
 }
+static void put_ref_page(struct page *page)
+{
+	if (page)
+		put_page(page);
+}
 /**
 * soft_offline_page - Soft offline a page.
 * @pfn: pfn to soft-offline
@@ -1911,20 +1917,26 @@ static int soft_offline_free_page(struct page *page)
 int soft_offline_page(unsigned long pfn, int flags)
 {
 	int ret;
-	struct page *page;
 	bool try_again = true;
+	struct page *page, *ref_page = NULL;
+	WARN_ON_ONCE(!pfn_valid(pfn) && (flags & MF_COUNT_INCREASED));
 	if (!pfn_valid(pfn))
 		return -ENXIO;
+	if (flags & MF_COUNT_INCREASED)
+		ref_page = pfn_to_page(pfn);
 	/* Only online pages can be soft-offlined (esp., not ZONE_DEVICE). */
 	page = pfn_to_online_page(pfn);
-	if (!page)
+	if (!page) {
+		put_ref_page(ref_page);
 		return -EIO;
+	}
 	if (PageHWPoison(page)) {
 		pr_info("soft offline: %#lx page already poisoned\n", pfn);
-		if (flags & MF_COUNT_INCREASED)
+		put_ref_page(ref_page);
-			put_page(page);
 		return 0;
 	}