Commit 1d88433b authored Feb 24, 2021 by Miaohe Lin Committed by Linus Torvalds Feb 24, 2021

mm/hugetlb: fix use after free when subpool max_hpages accounting is not enabled

If a hugetlbfs filesystem is created with the min_size option and
without the size option, used_hpages is always 0 and might lead to
release subpool prematurely because it indicates no pages are used now
while there might be.

In order to fix this issue, we should check used_hpages == 0 iff
max_hpages accounting is enabled.  As max_hpages accounting should be
enabled in most common case, this is not worth a Cc stable.

[mike.kravetz@oracle.com: new changelog]

Link: https://lkml.kernel.org/r/20210126115510.53374-1-linmiaohe@huawei.com


Signed-off-by: Hongxiang Lou <louhongxiang@huawei.com>
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent c78a7f36

mm/hugetlb.c

+13 −3

Original line number	Diff line number	Diff line
		@@ -97,16 +97,26 @@ static inline void ClearPageHugeFreed(struct page *head)
		/* Forward declaration */
		static int hugetlb_acct_memory(struct hstate *h, long delta);

		static inline void unlock_or_release_subpool(struct hugepage_subpool *spool)
		static inline bool subpool_is_free(struct hugepage_subpool *spool)
		{
		bool free = (spool->count == 0) && (spool->used_hpages == 0);
		if (spool->count)
		return false;
		if (spool->max_hpages != -1)
		return spool->used_hpages == 0;
		if (spool->min_hpages != -1)
		return spool->rsv_hpages == spool->min_hpages;

		return true;
		}

		static inline void unlock_or_release_subpool(struct hugepage_subpool *spool)
		{
		spin_unlock(&spool->lock);

		/* If no pages are used, and no other handles to the subpool
		* remain, give up any reservations based on minimum size and
		* free the subpool */
		if (free) {
		if (subpool_is_free(spool)) {
		if (spool->min_hpages != -1)
		hugetlb_acct_memory(spool->hstate,
		-spool->min_hpages);