+ mm-x86-fix-pte_page-crash-in-gup_pte_range.patch added to -mm tree

[akpm@xxxxxxxxxxxxxxxxxxxx]

The patch titled
     Subject: mm, x86: fix pte_page() crash in gup_pte_range()
has been added to the -mm tree.  Its filename is
     mm-x86-fix-pte_page-crash-in-gup_pte_range.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/mm-x86-fix-pte_page-crash-in-gup_pte_range.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/mm-x86-fix-pte_page-crash-in-gup_pte_range.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Hugh Dickins <hughd@xxxxxxxxxx>
Subject: mm, x86: fix pte_page() crash in gup_pte_range()

Commit 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings") has
moved up the pte_page(pte) in x86's fast gup_pte_range(), for no
discernible reason: put it back where it belongs, after the pte_flags
check and the pfn_valid cross-check.

That may be the cause of the NULL pointer dereference in gup_pte_range(),
seen when vfio called vaddr_get_pfn() when starting a qemu-kvm based VM.

Signed-off-by: Hugh Dickins <hughd@xxxxxxxxxx>
Reported-by: Michael Long <Harn-Solo@xxxxxx>
Tested-by: Michael Long <Harn-Solo@xxxxxx>
Cc: Dan Williams <dan.j.williams@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 arch/x86/mm/gup.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff -puN arch/x86/mm/gup.c~mm-x86-fix-pte_page-crash-in-gup_pte_range arch/x86/mm/gup.c
--- a/arch/x86/mm/gup.c~mm-x86-fix-pte_page-crash-in-gup_pte_range
+++ a/arch/x86/mm/gup.c
@@ -102,7 +102,6 @@ static noinline int gup_pte_range(pmd_t
 			return 0;
 		}
 
-		page = pte_page(pte);
 		if (pte_devmap(pte)) {
 			pgmap = get_dev_pagemap(pte_pfn(pte), pgmap);
 			if (unlikely(!pgmap)) {
@@ -115,6 +114,7 @@ static noinline int gup_pte_range(pmd_t
 			return 0;
 		}
 		VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
+		page = pte_page(pte);
 		get_page(page);
 		put_dev_pagemap(pgmap);
 		SetPageReferenced(page);
_

Patches currently in -mm which might be from hughd@xxxxxxxxxx are

mm-x86-fix-pte_page-crash-in-gup_pte_range.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html