6.11-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve Sistare steven.sistare@oracle.com
commit ce645b9fdc78ec5d28067286e92871ddae6817d5 upstream.
If memfd_pin_folios tries to create a hugetlb page, but someone else already did, then folio gets the value -EEXIST here:
folio = memfd_alloc_folio(memfd, start_idx); if (IS_ERR(folio)) { ret = PTR_ERR(folio); if (ret != -EEXIST) goto err;
then on the next trip through the "while start_idx" loop we panic here:
if (folio) { folio_put(folio);
To fix, set the folio to NULL on error.
Link: https://lkml.kernel.org/r/1725373521-451395-6-git-send-email-steven.sistare@... Fixes: 89c1905d9c14 ("mm/gup: introduce memfd_pin_folios() for pinning memfd folios") Signed-off-by: Steve Sistare steven.sistare@oracle.com Acked-by: Vivek Kasireddy vivek.kasireddy@intel.com Cc: David Hildenbrand david@redhat.com Cc: Jason Gunthorpe jgg@nvidia.com Cc: Matthew Wilcox willy@infradead.org Cc: Muchun Song muchun.song@linux.dev Cc: Peter Xu peterx@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- mm/gup.c | 1 + 1 file changed, 1 insertion(+)
--- a/mm/gup.c +++ b/mm/gup.c @@ -3705,6 +3705,7 @@ long memfd_pin_folios(struct file *memfd ret = PTR_ERR(folio); if (ret != -EEXIST) goto err; + folio = NULL; } } }