thp: keep highpte mapped until it is no longer needed

Two users reported THP-related crashes on 32-bit x86 machines. Their oops reports indicated an invalid pte, and subsequent code inspection showed that the highpte is actually used after unmap. The fix is to unmap the pte only after all operations against it are finished. Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> Reported-by: Ilya Dryomov <idryomov@gmail.com> Reported-by: werner <w.landgraf@ru.ru> Cc: Andrea Arcangeli <aarcange@redhat.com> Tested-by: Ilya Dryomov <idryomov@gmail.com> Tested-by: Steven Rostedt <rostedt@goodmis.org Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

thp: keep highpte mapped until it is no longer needed
Two users reported THP-related crashes on 32-bit x86 machines. Their oops reports indicated an invalid pte, and subsequent code inspection showed that the highpte is actually used after unmap. The fix is to unmap the pte only after all operations against it are finished. Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> Reported-by: Ilya Dryomov <idryomov@gmail.com> Reported-by: werner <w.landgraf@ru.ru> Cc: Andrea Arcangeli <aarcange@redhat.com> Tested-by: Ilya Dryomov <idryomov@gmail.com> Tested-by: Steven Rostedt <rostedt@goodmis.org Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Johannes Weiner · Linus Torvalds
1 parent 6a108a14fa
Showing 1 changed file with 2 additions and 1 deletions Side-by-side Diff
mm/huge_memory.c
@@ -1837,9 +1837,9 @@
 	spin_lock(ptl);
 	isolated = __collapse_huge_page_isolate(vma, address, pte);
 	spin_unlock(ptl);
-	pte_unmap(pte);
  
 	if (unlikely(!isolated)) {
+		pte_unmap(pte);
 		spin_lock(&mm->page_table_lock);
 		BUG_ON(!pmd_none(*pmd));
 		set_pmd_at(mm, address, pmd, _pmd);
@@ -1856,6 +1856,7 @@
 	anon_vma_unlock(vma->anon_vma);
  
 	__collapse_huge_page_copy(pte, new_page, vma, address, ptl);
+	pte_unmap(pte);
 	__SetPageUptodate(new_page);
 	pgtable = pmd_pgtable(_pmd);
 	VM_BUG_ON(page_count(pgtable) != 1);
...	...	@@ -1837,9 +1837,9 @@
1837	1837	spin_lock(ptl);
1838	1838	isolated = __collapse_huge_page_isolate(vma, address, pte);
1839	1839	spin_unlock(ptl);
1840		- pte_unmap(pte);
1841	1840
1842	1841	if (unlikely(!isolated)) {
	1842	+ pte_unmap(pte);
1843	1843	spin_lock(&mm->page_table_lock);
1844	1844	BUG_ON(!pmd_none(*pmd));
1845	1845	set_pmd_at(mm, address, pmd, _pmd);
...	...	@@ -1856,6 +1856,7 @@
1856	1856	anon_vma_unlock(vma->anon_vma);
1857	1857
1858	1858	__collapse_huge_page_copy(pte, new_page, vma, address, ptl);
	1859	+ pte_unmap(pte);
1859	1860	__SetPageUptodate(new_page);
1860	1861	pgtable = pmd_pgtable(_pmd);
1861	1862	VM_BUG_ON(page_count(pgtable) != 1);