From: Peter Xu <peterx@xxxxxxxxxx> Subject: mm/gup: fix __get_user_pages() on fault retry of hugetlb When follow_hugetlb_page() returns with *locked==0, it means we've got a VM_FAULT_RETRY within the fauling process and we've released the mmap_sem. When that happens, we should stop and bail out. Link: http://lkml.kernel.org/r/20200220155353.8676-3-peterx@xxxxxxxxxx Signed-off-by: Peter Xu <peterx@xxxxxxxxxx> Tested-by: Brian Geffon <bgeffon@xxxxxxxxxx> Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx> Cc: Bobby Powers <bobbypowers@xxxxxxxxx> Cc: David Hildenbrand <david@xxxxxxxxxx> Cc: Denis Plotnikov <dplotnikov@xxxxxxxxxxxxx> Cc: "Dr . David Alan Gilbert" <dgilbert@xxxxxxxxxx> Cc: Hugh Dickins <hughd@xxxxxxxxxx> Cc: Jerome Glisse <jglisse@xxxxxxxxxx> Cc: Johannes Weiner <hannes@xxxxxxxxxxx> Cc: "Kirill A . Shutemov" <kirill@xxxxxxxxxxxxx> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Cc: Martin Cracauer <cracauer@xxxxxxxx> Cc: Marty McFadden <mcfadden8@xxxxxxxx> Cc: Matthew Wilcox <willy@xxxxxxxxxxxxx> Cc: Maya Gokhale <gokhale2@xxxxxxxx> Cc: Mel Gorman <mgorman@xxxxxxx> Cc: Mike Kravetz <mike.kravetz@xxxxxxxxxx> Cc: Mike Rapoport <rppt@xxxxxxxxxxxxxxxxxx> Cc: Pavel Emelyanov <xemul@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/gup.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/mm/gup.c~mm-gup-fix-__get_user_pages-on-fault-retry-of-hugetlb +++ a/mm/gup.c @@ -1065,6 +1065,16 @@ static long __get_user_pages(struct task i = follow_hugetlb_page(mm, vma, pages, vmas, &start, &nr_pages, i, gup_flags, locked); + if (locked && *locked == 0) { + /* + * We've got a VM_FAULT_RETRY + * and we've lost mmap_sem. + * We must stop here. + */ + BUG_ON(gup_flags & FOLL_NOWAIT); + BUG_ON(ret != 0); + goto out; + } continue; } } _
