• Kirill A. Shutemov's avatar
    mm: Fix NULL pointer dereference in madvise(MADV_WILLNEED) support · ee53664b
    Kirill A. Shutemov authored
    Sasha Levin found a NULL pointer dereference that is due to a missing
    page table lock, which in turn is due to the pmd entry in question being
    a transparent huge-table entry.
    
    The code - introduced in commit 1998cc04 ("mm: make
    madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
    for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
    turns out that that function doesn't work correctly.
    
    pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
    trigger if the transparent hugepage bit was set, but it doesn't do that
    if pmd_numa() is also set. Note that the NUMA bit only gets set on real
    NUMA machines, so people trying to reproduce this on most normal
    development systems would never actually trigger this.
    
    Fix it by removing the very subtle (and subtly incorrect) expectation,
    and instead just checking pmd_trans_huge() explicitly.
    Reported-by: default avatarSasha Levin <sasha.levin@oracle.com>
    Acked-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
    [ Additionally remove the now stale test for pmd_trans_huge() inside the
      pmd_bad() case - Linus ]
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    ee53664b
pgtable.h 19.9 KB