Commit 457a98b0 authored Feb 17, 2016 by Hugh Dickins Committed by Linus Torvalds Feb 18, 2016

mm, x86: fix pte_page() crash in gup_pte_range()



Commit 3565fce3 ("mm, x86: get_user_pages() for dax mappings") has
moved up the pte_page(pte) in x86's fast gup_pte_range(), for no
discernible reason: put it back where it belongs, after the pte_flags
check and the pfn_valid cross-check.

That may be the cause of the NULL pointer dereference in
gup_pte_range(), seen when vfio called vaddr_get_pfn() when starting a
qemu-kvm based VM.

Signed-off-by: Hugh Dickins <hughd@google.com>
Reported-by: Michael Long <Harn-Solo@gmx.de>
Tested-by: Michael Long <Harn-Solo@gmx.de>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 0918f1c3

arch/x86/mm/gup.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -102,7 +102,6 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr,
	return 0;		return 0;
	}		}

	page = pte_page(pte);
	if (pte_devmap(pte)) {		if (pte_devmap(pte)) {
	pgmap = get_dev_pagemap(pte_pfn(pte), pgmap);		pgmap = get_dev_pagemap(pte_pfn(pte), pgmap);
	if (unlikely(!pgmap)) {		if (unlikely(!pgmap)) {
	@@ -115,6 +114,7 @@ static noinline int gup_pte_range(pmd_t pmd, unsigned long addr,
	return 0;		return 0;
	}		}
	VM_BUG_ON(!pfn_valid(pte_pfn(pte)));		VM_BUG_ON(!pfn_valid(pte_pfn(pte)));
			page = pte_page(pte);
	get_page(page);		get_page(page);
	put_dev_pagemap(pgmap);		put_dev_pagemap(pgmap);
	SetPageReferenced(page);		SetPageReferenced(page);