aboutsummaryrefslogtreecommitdiffstats
path: root/mm/hugetlb.c
diff options
context:
space:
mode:
authorDavid Gibson <david@gibson.dropbear.id.au>2005-08-05 14:59:35 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-08-05 15:22:37 -0400
commitc7546f8f03f5a4fa612605b6be930234d6026860 (patch)
treee372cdb3856c9585587283c21b5b99a792a1a41d /mm/hugetlb.c
parente6cb99413da42af413c11a394538ddc8b9d201e1 (diff)
[PATCH] Fix hugepage crash on failing mmap()
This patch fixes a crash in the hugepage code. unmap_hugepage_area() was assuming that (due to prefault) PTEs must exist for all the area in question. However, this may not be the case, if mmap() encounters an error before the prefault and calls unmap_region() to clean up any partial mapping. Depending on the hugepage configuration, this crash can be triggered by an unpriveleged user. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Cc: William Lee Irwin III <wli@holomorphy.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'mm/hugetlb.c')
-rw-r--r--mm/hugetlb.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index fbd1111ea11..6bf720bc662 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -301,6 +301,7 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
301{ 301{
302 struct mm_struct *mm = vma->vm_mm; 302 struct mm_struct *mm = vma->vm_mm;
303 unsigned long address; 303 unsigned long address;
304 pte_t *ptep;
304 pte_t pte; 305 pte_t pte;
305 struct page *page; 306 struct page *page;
306 307
@@ -309,9 +310,17 @@ void unmap_hugepage_range(struct vm_area_struct *vma, unsigned long start,
309 BUG_ON(end & ~HPAGE_MASK); 310 BUG_ON(end & ~HPAGE_MASK);
310 311
311 for (address = start; address < end; address += HPAGE_SIZE) { 312 for (address = start; address < end; address += HPAGE_SIZE) {
312 pte = huge_ptep_get_and_clear(mm, address, huge_pte_offset(mm, address)); 313 ptep = huge_pte_offset(mm, address);
314 if (! ptep)
315 /* This can happen on truncate, or if an
316 * mmap() is aborted due to an error before
317 * the prefault */
318 continue;
319
320 pte = huge_ptep_get_and_clear(mm, address, ptep);
313 if (pte_none(pte)) 321 if (pte_none(pte))
314 continue; 322 continue;
323
315 page = pte_page(pte); 324 page = pte_page(pte);
316 put_page(page); 325 put_page(page);
317 } 326 }