Re: BUG: Use after free in free_huge_page()

[Adam Litke <agl@us.ibm.com>]

Hi Andrew, thanks for the detailed report.  I am taking a look at this 
but it seems a lot has happened since I last looked at this code.  (If 
anyone else knows what might be going on here, please do chime in).

Andrew Hastings wrote:
> I think what happens is:
> 1.  Driver does get_user_pages() for pages mapped by hugetlbfs.
> 2.  Process exits.
> 3.  hugetlbfs file is closed; the vma->vm_file->f_mapping value stored in
>     page_private now points to freed memory
> 4.  Driver file is closed; driver's release() function calls put_page()
>     which calls free_huge_page() which passes bogus mapping value to
>     hugetlb_put_quota().

:( Definitely seems plausible.

> I'd like to help with a fix, but it's not immediately obvious to me what
> the right path is.  Should hugetlb_no_page() always call add_to_page_cache()
> even if VM_MAYSHARE is clear?

Are you seeing any corruption in the HugePages_Rsvd: counter?  Would it 
be possible for you to run the libhugetlbfs test suite before and after 
trigerring the bug and let me know if any additional tests fail after 
you reproduce this?

Thanks.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>