3 files changed, 48 insertions, 3 deletions

diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
index f97ee02386ee..86a659a19526 100644
--- a/arch/arm/include/asm/pgtable-2level.h
+++ b/arch/arm/include/asm/pgtable-2level.h
@@ -181,6 +181,13 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long addr)
 
 #define set_pte_ext(ptep,pte,ext) cpu_set_pte_ext(ptep,pte,ext)
 
+/*
+ * We don't have huge page support for short descriptors, for the moment
+ * define empty stubs for use by pin_page_for_write.
+ */
+#define pmd_hugewillfault(pmd)  (0)
+#define pmd_thp_or_huge(pmd)    (0)
+
 #endif /* __ASSEMBLY__ */
 
 #endif /* _ASM_PGTABLE_2LEVEL_H */
diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h
index 5689c18c85f5..39c54cfa03e9 100644
--- a/arch/arm/include/asm/pgtable-3level.h
+++ b/arch/arm/include/asm/pgtable-3level.h
@@ -206,6 +206,9 @@ static inline pmd_t *pmd_offset(pud_t *pud, unsigned long addr)
 #define __HAVE_ARCH_PMD_WRITE
 #define pmd_write(pmd)          (!(pmd_val(pmd) & PMD_SECT_RDONLY))
 
+#define pmd_hugewillfault(pmd)  (!pmd_young(pmd) || !pmd_write(pmd))
+#define pmd_thp_or_huge(pmd)    (pmd_huge(pmd) || pmd_trans_huge(pmd))
+
 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
 #define pmd_trans_huge(pmd)     (pmd_val(pmd) && !(pmd_val(pmd) & PMD_TABLE_BIT))
 #define pmd_trans_splitting(pmd) (pmd_val(pmd) & PMD_SECT_SPLITTING)
diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
index 025f742dd4df..3e58d710013c 100644
--- a/arch/arm/lib/uaccess_with_memcpy.c
+++ b/arch/arm/lib/uaccess_with_memcpy.c
@@ -18,6 +18,7 @@
 #include <linux/hardirq.h> /* for in_atomic() */
 #include <linux/gfp.h>
 #include <linux/highmem.h>
+#include <linux/hugetlb.h>
 #include <asm/current.h>
 #include <asm/page.h>
 
@@ -40,7 +41,35 @@ pin_page_for_write(const void __user *_addr, pte_t **ptep, spinlock_t **ptlp)
                 return 0;
 
         pmd = pmd_offset(pud, addr);
-        if (unlikely(pmd_none(*pmd) || pmd_bad(*pmd)))
+        if (unlikely(pmd_none(*pmd)))
+                return 0;
+
+        /*
+         * A pmd can be bad if it refers to a HugeTLB or THP page.
+         *
+         * Both THP and HugeTLB pages have the same pmd layout
+         * and should not be manipulated by the pte functions.
+         *
+         * Lock the page table for the destination and check
+         * to see that it's still huge and whether or not we will
+         * need to fault on write, or if we have a splitting THP.
+         */
+        if (unlikely(pmd_thp_or_huge(*pmd))) {
+                ptl = &current->mm->page_table_lock;
+                spin_lock(ptl);
+                if (unlikely(!pmd_thp_or_huge(*pmd)
+                        || pmd_hugewillfault(*pmd)
+                        || pmd_trans_splitting(*pmd))) {
+                        spin_unlock(ptl);
+                        return 0;
+                }
+
+                *ptep = NULL;
+                *ptlp = ptl;
+                return 1;
+        }
+
+        if (unlikely(pmd_bad(*pmd)))
                 return 0;
 
         pte = pte_offset_map_lock(current->mm, pmd, addr, &ptl);
@@ -94,7 +123,10 @@ __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
                 from += tocopy;
                 n -= tocopy;
 
-                pte_unmap_unlock(pte, ptl);
+                if (pte)
+                        pte_unmap_unlock(pte, ptl);
+                else
+                        spin_unlock(ptl);
         }
         if (!atomic)
                 up_read(&current->mm->mmap_sem);
@@ -147,7 +179,10 @@ __clear_user_memset(void __user *addr, unsigned long n)
                 addr += tocopy;
                 n -= tocopy;
 
-                pte_unmap_unlock(pte, ptl);
+                if (pte)
+                        pte_unmap_unlock(pte, ptl);
+                else
+                        spin_unlock(ptl);
         }
         up_read(&current->mm->mmap_sem);