[PATCH openEuler-5.10 02/10] mm: gup: fix potential pgmap refcnt leak in __gup_device_huge()

24 Apr 2022

From: Miaohe Lin linmiaohe@huawei.com
mainline inclusion
from mainline-v5.15-rc1
commit 6401c4eb57f947a49eb144b5b0787cde3318e82e
category: bugfix
bugzilla: 180689, https://gitee.com/openeuler/kernel/issues/I53CMX
CVE: NA
backport: openEuler-22.03-LTS
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
When failed to try_grab_page, put_dev_pagemap() is missed.  So pgmap
refcnt will leak in this case.  Also we remove the check for pgmap against
NULL as it's also checked inside the put_dev_pagemap().
[akpm@linux-foundation.org: simplify, cleanup]
[akpm@linux-foundation.org: fix return value]
Link: https://lkml.kernel.org/r/20210807093620.21347-5-linmiaohe@huawei.com
Signed-off-by: Miaohe Lin linmiaohe@huawei.com
Fixes: 3faa52c03f44 ("mm/gup: track FOLL_PIN pages")
Reviewed-by: John Hubbard jhubbard@nvidia.com
Reviewed-by: Claudio Imbrenda imbrenda@linux.ibm.com
Cc: Jan Kara jack@suse.cz
Cc: Kirill A. Shutemov kirill.shutemov@linux.intel.com
Signed-off-by: Andrew Morton akpm@linux-foundation.org
Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
(cherry picked from commit 6401c4eb57f947a49eb144b5b0787cde3318e82e)
Signed-off-by: Yue Zou zouyue3@huawei.com
Reviewed-by: Kefeng Wang wangkefeng.wang@huawei.com
Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com
---
 mm/gup.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/mm/gup.c b/mm/gup.c
index ee9c2c39c299..4e9945299fe5 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -2319,6 +2319,7 @@ static int __gup_device_huge(unsigned long pfn, unsigned long addr,
 {
    int nr_start = *nr;
    struct dev_pagemap *pgmap = NULL;
+	int ret = 1;
do {
    	struct page *page = pfn_to_page(pfn);
@@ -2326,21 +2327,22 @@ static int __gup_device_huge(unsigned long pfn, unsigned long addr,
    	pgmap = get_dev_pagemap(pfn, pgmap);
    	if (unlikely(!pgmap)) {
    		undo_dev_pagemap(nr, nr_start, flags, pages);
-			return 0;
+			ret = 0;
+			break;
    	}
    	SetPageReferenced(page);
    	pages[*nr] = page;
    	if (unlikely(!try_grab_page(page, flags))) {
    		undo_dev_pagemap(nr, nr_start, flags, pages);
-			return 0;
+			ret = 0;
+			break;
    	}
    	(*nr)++;
    	pfn++;
    } while (addr += PAGE_SIZE, addr != end);
-	if (pgmap)
-		put_dev_pagemap(pgmap);
-	return 1;
+	put_dev_pagemap(pgmap);
+	return ret;
 }
static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,
-- 
2.20.1

    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-5.10 02/10] mm: gup: fix potential pgmap refcnt leak in __gup_device_huge()