Git Repo - linux.git/commit

author	Mike Kravetz <[email protected]>
	Wed, 11 Jan 2017 00:58:27 +0000 (16:58 -0800)
committer	Linus Torvalds <[email protected]>
	Wed, 11 Jan 2017 02:31:55 +0000 (18:31 -0800)
commit	e5bbc8a6c992901058bc09e2ce01d16c111ff047
tree	58e7d4ea6950878eb4c23d31e68b0c2f96db6f7e	tree \| snapshot
parent	c4e490cf148e85ead0d1b1c2caaba833f1d5b29f	commit \| diff

mm/hugetlb.c: fix reservation race when freeing surplus pages

return_unused_surplus_pages() decrements the global reservation count,
and frees any unused surplus pages that were backing the reservation.

Commit 7848a4bf51b3 ("mm/hugetlb.c: add cond_resched_lock() in
return_unused_surplus_pages()") added a call to cond_resched_lock in the
loop freeing the pages.

As a result, the hugetlb_lock could be dropped, and someone else could
use the pages that will be freed in subsequent iterations of the loop.
This could result in inconsistent global hugetlb page state, application
api failures (such as mmap) failures or application crashes.

When dropping the lock in return_unused_surplus_pages, make sure that
the global reservation count (resv_huge_pages) remains sufficiently
large to prevent someone else from claiming pages about to be freed.

Analyzed by Paul Cassella.

Fixes: 7848a4bf51b3 ("mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages()")
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Mike Kravetz <[email protected]>
Reported-by: Paul Cassella <[email protected]>
Suggested-by: Michal Hocko <[email protected]>
Cc: Masayoshi Mizuma <[email protected]>
Cc: Naoya Horiguchi <[email protected]>
Cc: Aneesh Kumar <[email protected]>
Cc: Hillf Danton <[email protected]>
Cc: <[email protected]> [3.15+]
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>