Commit 1d88433b authored by Miaohe Lin's avatar Miaohe Lin Committed by Linus Torvalds

mm/hugetlb: fix use after free when subpool max_hpages accounting is not enabled

If a hugetlbfs filesystem is created with the min_size option and
without the size option, used_hpages is always 0 and might lead to
release subpool prematurely because it indicates no pages are used now
while there might be.

In order to fix this issue, we should check used_hpages == 0 iff
max_hpages accounting is enabled.  As max_hpages accounting should be
enabled in most common case, this is not worth a Cc stable.

[mike.kravetz@oracle.com: new changelog]

Link: https://lkml.kernel.org/r/20210126115510.53374-1-linmiaohe@huawei.comSigned-off-by: default avatarHongxiang Lou <louhongxiang@huawei.com>
Signed-off-by: default avatarMiaohe Lin <linmiaohe@huawei.com>
Reviewed-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent c78a7f36
...@@ -97,16 +97,26 @@ static inline void ClearPageHugeFreed(struct page *head) ...@@ -97,16 +97,26 @@ static inline void ClearPageHugeFreed(struct page *head)
/* Forward declaration */ /* Forward declaration */
static int hugetlb_acct_memory(struct hstate *h, long delta); static int hugetlb_acct_memory(struct hstate *h, long delta);
static inline void unlock_or_release_subpool(struct hugepage_subpool *spool) static inline bool subpool_is_free(struct hugepage_subpool *spool)
{ {
bool free = (spool->count == 0) && (spool->used_hpages == 0); if (spool->count)
return false;
if (spool->max_hpages != -1)
return spool->used_hpages == 0;
if (spool->min_hpages != -1)
return spool->rsv_hpages == spool->min_hpages;
return true;
}
static inline void unlock_or_release_subpool(struct hugepage_subpool *spool)
{
spin_unlock(&spool->lock); spin_unlock(&spool->lock);
/* If no pages are used, and no other handles to the subpool /* If no pages are used, and no other handles to the subpool
* remain, give up any reservations based on minimum size and * remain, give up any reservations based on minimum size and
* free the subpool */ * free the subpool */
if (free) { if (subpool_is_free(spool)) {
if (spool->min_hpages != -1) if (spool->min_hpages != -1)
hugetlb_acct_memory(spool->hstate, hugetlb_acct_memory(spool->hstate,
-spool->min_hpages); -spool->min_hpages);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment