mm/hwpoison: fix potential pte_unmap_unlock pte error

If the first pte is equal to poisoned_pfn, i.e.  check_hwpoisoned_entry()
return 1, the wrong ptep - 1 would be passed to pte_unmap_unlock().

Link: https://lkml.kernel.org/r/20210814105131.48814-3-linmiaohe@huawei.com
Fixes: ad9c59c24095 ("mm,hwpoison: send SIGBUS with error virutal address")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 9793c78..224bd0b 100644 (file)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -632,7 +632,7 @@ static int hwpoison_pte_range(pmd_t *pmdp, unsigned long addr,
 {
        struct hwp_walk *hwp = (struct hwp_walk *)walk->private;
        int ret = 0;
-       pte_t *ptep;
+       pte_t *ptep, *mapped_pte;
        spinlock_t *ptl;
 
        ptl = pmd_trans_huge_lock(pmdp, walk->vma);
@@ -645,14 +645,15 @@ static int hwpoison_pte_range(pmd_t *pmdp, unsigned long addr,
        if (pmd_trans_unstable(pmdp))
                goto out;
 
-       ptep = pte_offset_map_lock(walk->vma->vm_mm, pmdp, addr, &ptl);
+       mapped_pte = ptep = pte_offset_map_lock(walk->vma->vm_mm, pmdp,
+                                               addr, &ptl);
        for (; addr != end; ptep++, addr += PAGE_SIZE) {
                ret = check_hwpoisoned_entry(*ptep, addr, PAGE_SHIFT,
                                             hwp->pfn, &hwp->tk);
                if (ret == 1)
                        break;
        }
-       pte_unmap_unlock(ptep - 1, ptl);
+       pte_unmap_unlock(mapped_pte, ptl);
 out:
        cond_resched();
        return ret;