[PATCH] Fix hugepage crash on failing mmap()
authorDavid Gibson <david@gibson.dropbear.id.au>
Fri, 5 Aug 2005 18:59:35 +0000 (11:59 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Fri, 5 Aug 2005 19:22:37 +0000 (12:22 -0700)
This patch fixes a crash in the hugepage code.  unmap_hugepage_area() was
assuming that (due to prefault) PTEs must exist for all the area in
question.  However, this may not be the case, if mmap() encounters an error
before the prefault and calls unmap_region() to clean up any partial
mapping.

Depending on the hugepage configuration, this crash can be triggered by an
unpriveleged user.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Cc: William Lee Irwin III <wli@holomorphy.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
mm/hugetlb.c

index fbd1111ea1194fc106042d57d2115a743dce7ced..6bf720bc662c41983c1208e2aef409d4e0a276ac 100644 (file)
@@ -301,6 +301,7 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
 {
        struct mm_struct *mm = vma->vm_mm;
        unsigned long address;
+       pte_t *ptep;
        pte_t pte;
        struct page *page;
 
@@ -309,9 +310,17 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
        BUG_ON(end & ~HPAGE_MASK);
 
        for (address = start; address < end; address += HPAGE_SIZE) {
-               pte = huge_ptep_get_and_clear(mm, address, huge_pte_offset(mm, address));
+               ptep = huge_pte_offset(mm, address);
+               if (! ptep)
+                       /* This can happen on truncate, or if an
+                        * mmap() is aborted due to an error before
+                        * the prefault */
+                       continue;
+
+               pte = huge_ptep_get_and_clear(mm, address, ptep);
                if (pte_none(pte))
                        continue;
+
                page = pte_page(pte);
                put_page(page);
        }