Commit 6401c4eb authored Sep 02, 2021 by Miaohe Lin Committed by Linus Torvalds Sep 03, 2021

mm: gup: fix potential pgmap refcnt leak in __gup_device_huge()

When failed to try_grab_page, put_dev_pagemap() is missed.  So pgmap
refcnt will leak in this case.  Also we remove the check for pgmap against
NULL as it's also checked inside the put_dev_pagemap().

[akpm@linux-foundation.org: simplify, cleanup]
[akpm@linux-foundation.org: fix return value]

Link: https://lkml.kernel.org/r/20210807093620.21347-5-linmiaohe@huawei.com


Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Fixes: 3faa52c0 ("mm/gup: track FOLL_PIN pages")
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 06a9e696

mm/gup.c

+7 −5

Original line number	Diff line number	Diff line
		@@ -2240,6 +2240,7 @@ static int __gup_device_huge(unsigned long pfn, unsigned long addr,
		{
		int nr_start = *nr;
		struct dev_pagemap *pgmap = NULL;
		int ret = 1;

		do {
		struct page *page = pfn_to_page(pfn);
		@@ -2247,21 +2248,22 @@ static int __gup_device_huge(unsigned long pfn, unsigned long addr,
		pgmap = get_dev_pagemap(pfn, pgmap);
		if (unlikely(!pgmap)) {
		undo_dev_pagemap(nr, nr_start, flags, pages);
		return 0;
		ret = 0;
		break;
		}
		SetPageReferenced(page);
		pages[*nr] = page;
		if (unlikely(!try_grab_page(page, flags))) {
		undo_dev_pagemap(nr, nr_start, flags, pages);
		return 0;
		ret = 0;
		break;
		}
		(*nr)++;
		pfn++;
		} while (addr += PAGE_SIZE, addr != end);

		if (pgmap)
		put_dev_pagemap(pgmap);
		return 1;
		return ret;
		}

		static int __gup_device_huge_pmd(pmd_t orig, pmd_t *pmdp, unsigned long addr,