• Mike Kravetz's avatar
    fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list() · db33368c
    Mike Kravetz authored
    commit 9aacdd35 upstream.
    
    Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine.  The
    argument end is of type pgoff_t.  It was being converted to a vaddr
    offset and passed to unmap_hugepage_range.  However, end was also being
    used as an argument to the vma_interval_tree_foreach controlling loop.
    In addition, the conversion of end to vaddr offset was incorrect.
    
    hugetlb_vmtruncate_list is called as part of a file truncate or
    fallocate hole punch operation.
    
    When truncating a hugetlbfs file, this bug could prevent some pages from
    being unmapped.  This is possible if there are multiple vmas mapping the
    file, and there is a sufficiently sized hole between the mappings.  The
    size of the hole between two vmas (A,B) must be such that the starting
    virtual address of B is greater than (ending virtual address of A <<
    PAGE_SHIFT).  In this case, the pages in B would not be unmapped.  If
    pages are not properly unmapped during truncate, the following BUG is
    hit:
    
    	kernel BUG at fs/hugetlbfs/inode.c:428!
    
    In the fallocate hole punch case, this bug could prevent pages from
    being unmapped as in the truncate case.  However, for hole punch the
    result is that unmapped pages will not be removed during the operation.
    For hole punch, it is also possible that more pages than desired will be
    unmapped.  This unnecessary unmapping will cause page faults to
    reestablish the mappings on subsequent page access.
    
    Fixes: 1bfad99a (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")Reported-by: Hillf Danton <hillf.zj@alibaba-inc.com>
    Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    db33368c
inode.c 34.7 KB