mm/gup: fix memfd_pin_folios alloc race panic

Steve Sistare · akpm00 · commit ce645b9fdc78 · 2024-09-26T14:01:43.000-07:00
If memfd_pin_folios tries to create a hugetlb page, but someone else already did, then folio gets the value -EEXIST here: folio = memfd_alloc_folio(memfd, start_idx); if (IS_ERR(folio)) { ret = PTR_ERR(folio); if (ret != -EEXIST) goto err; then on the next trip through the "while start_idx" loop we panic here: if (folio) { folio_put(folio); To fix, set the folio to NULL on error. Link: https://lkml.kernel.org/r/1725373521-451395-6-git-send-email-steven.sistare@oracle.com Fixes: 89c1905 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare <steven.sistare@oracle.com> Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com> Cc: David Hildenbrand <david@redhat.com> Cc: Jason Gunthorpe <jgg@nvidia.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Muchun Song <muchun.song@linux.dev> Cc: Peter Xu <peterx@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
diff --git a/mm/gup.c b/mm/gup.c
@@ -3702,6 +3702,7 @@ long memfd_pin_folios(struct file *memfd, loff_t start, loff_t end,
 					ret = PTR_ERR(folio);
 					if (ret != -EEXIST)
 						goto err;
+					folio = NULL;
 				}
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -3702,6 +3702,7 @@ long memfd_pin_folios(struct file *memfd, loff_t start, loff_t end,`
`3702`	`3702`	`ret = PTR_ERR(folio);`
`3703`	`3703`	`if (ret != -EEXIST)`
`3704`	`3704`	`goto err;`
	`3705`	`+ folio = NULL;`
`3705`	`3706`	`}`
`3706`	`3707`	`}`
`3707`	`3708`	`}`