Hillf Danton noticed bugs in the hugetlb_vmtruncate_list routine.
The argument end is of type pgoff_t. It was being converted to a
vaddr offset and passed to unmap_hugepage_range. However, end
was also being used as an argument to the vma_interval_tree_foreach
controlling loop. In addition, the conversion of end to vaddr offset
was incorrect.
Fixes: 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list() needs to take a range")
Cc: stable@xxxxxxxxxxxxxxx [4.3]
Signed-off-by: Mike Kravetz <mike.kravetz@xxxxxxxxxx>
---
fs/hugetlbfs/inode.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 0444760..89abdc9 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -461,8 +461,12 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
* end == 0 indicates that the entire range after
* start should be unmapped.
*/
- vma_interval_tree_foreach(vma, root, start, end ? end : ULONG_MAX) {
+ if (!end)
+ end = ULONG_MAX;
+
+ vma_interval_tree_foreach(vma, root, start, end) {
unsigned long v_offset;
+ unsigned long v_end;
/*
* Can the expression below overflow on 32-bit arches?
@@ -475,15 +479,12 @@ hugetlb_vmdelete_list(struct rb_root *root, pgoff_t start, pgoff_t end)
else
v_offset = 0;
- if (end) {
- end = ((end - start) << PAGE_SHIFT) +
- vma->vm_start + v_offset;
- if (end > vma->vm_end)
- end = vma->vm_end;
- } else
- end = vma->vm_end;
+ v_end = (end - vma->vm_pgoff) << PAGE_SHIFT;
+ if (v_end > vma->vm_end)
+ v_end = vma->vm_end;
- unmap_hugepage_range(vma, vma->vm_start + v_offset, end, NULL);
+ unmap_hugepage_range(vma, vma->vm_start + v_offset, v_end,
+ NULL);
}
}
--
2.4.3
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>