forked fromtorvalds/linux
- Notifications
You must be signed in to change notification settings - Fork1
Commitff8c0c5
mm/hugetlb.c: don't call region_abort if region_chg fails
Changes to hugetlbfs reservation maps is a two step process. The firststep is a call to region_chg to determine what needs to be changed, andprepare that change. This should be followed by a call to call toregion_add to commit the change, or region_abort to abort the change.The error path in hugetlb_reserve_pages called region_abort after afailed call to region_chg. As a result, the adds_in_progress counter inthe reservation map is off by 1. This is caught by a VM_BUG_ON inresv_map_release when the reservation map is freed.syzkaller fuzzer (when using an injected kmalloc failure) found thisbug, that resulted in the following: kernel BUG at mm/hugetlb.c:742! Call Trace: hugetlbfs_evict_inode+0x7b/0xa0 fs/hugetlbfs/inode.c:493 evict+0x481/0x920 fs/inode.c:553 iput_final fs/inode.c:1515 [inline] iput+0x62b/0xa20 fs/inode.c:1542 hugetlb_file_setup+0x593/0x9f0 fs/hugetlbfs/inode.c:1306 newseg+0x422/0xd30 ipc/shm.c:575 ipcget_new ipc/util.c:285 [inline] ipcget+0x21e/0x580 ipc/util.c:639 SYSC_shmget ipc/shm.c:673 [inline] SyS_shmget+0x158/0x230 ipc/shm.c:657 entry_SYSCALL_64_fastpath+0x1f/0xc2 RIP: resv_map_release+0x265/0x330 mm/hugetlb.c:742Link:http://lkml.kernel.org/r/1490821682-23228-1-git-send-email-mike.kravetz@oracle.comSigned-off-by: Mike Kravetz <mike.kravetz@oracle.com>Reported-by: Dmitry Vyukov <dvyukov@google.com>Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com>Signed-off-by: Andrew Morton <akpm@linux-foundation.org>Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>1 parentb0845ce commitff8c0c5
1 file changed
+3
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4403 | 4403 | | |
4404 | 4404 | | |
4405 | 4405 | | |
4406 | | - | |
| 4406 | + | |
| 4407 | + | |
| 4408 | + | |
4407 | 4409 | | |
4408 | 4410 | | |
4409 | 4411 | | |
| |||
0 commit comments
Comments
(0)