The patch titled
Subject: mm, x86: fix pte_page() crash in gup_pte_range()
has been removed from the -mm tree. Its filename was
mm-x86-fix-pte_page-crash-in-gup_pte_range.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
From: Hugh Dickins <hughd@xxxxxxxxxx>
Subject: mm, x86: fix pte_page() crash in gup_pte_range()
Commit 3565fce3a659 ("mm, x86: get_user_pages() for dax mappings") has
moved up the pte_page(pte) in x86's fast gup_pte_range(), for no
discernible reason: put it back where it belongs, after the pte_flags
check and the pfn_valid cross-check.
That may be the cause of the NULL pointer dereference in gup_pte_range(),
seen when vfio called vaddr_get_pfn() when starting a qemu-kvm based VM.
Signed-off-by: Hugh Dickins <hughd@xxxxxxxxxx>
Reported-by: Michael Long <Harn-Solo@xxxxxx>
Tested-by: Michael Long <Harn-Solo@xxxxxx>
Acked-by: Dan Williams <dan.j.williams@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
arch/x86/mm/gup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -puN arch/x86/mm/gup.c~mm-x86-fix-pte_page-crash-in-gup_pte_range arch/x86/mm/gup.c
--- a/arch/x86/mm/gup.c~mm-x86-fix-pte_page-crash-in-gup_pte_range
+++ a/arch/x86/mm/gup.c
@@ -102,7 +102,6 @@ static noinline int gup_pte_range(pmd_t
return 0;
}
- page = pte_page(pte);
if (pte_devmap(pte)) {
pgmap = get_dev_pagemap(pte_pfn(pte), pgmap);
if (unlikely(!pgmap)) {
@@ -115,6 +114,7 @@ static noinline int gup_pte_range(pmd_t
return 0;
}
VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
+ page = pte_page(pte);
get_page(page);
put_dev_pagemap(pgmap);
SetPageReferenced(page);
_
Patches currently in -mm which might be from hughd@xxxxxxxxxx are
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
