path: root/mm/pagewalk.c
diff options
authorJann Horn <>2017-11-14 01:03:44 +0100
committerLinus Torvalds <>2017-11-15 13:12:08 -0800
commit373c4557d2aa362702c4c2d41288fb1e54990b7c (patch)
tree4dd47b260e9210d3da7bb3408d70a459f9467a59 /mm/pagewalk.c
parent5bbcc0f595fadb4cac0eddc4401035ec0bd95b09 (diff)
mm/pagewalk.c: report holes in hugetlb ranges
This matters at least for the mincore syscall, which will otherwise copy uninitialized memory from the page allocator to userspace. It is probably also a correctness error for /proc/$pid/pagemap, but I haven't tested that. Removing the `walk->hugetlb_entry` condition in walk_hugetlb_range() has no effect because the caller already checks for that. This only reports holes in hugetlb ranges to callers who have specified a hugetlb_entry callback. This issue was found using an AFL-based fuzzer. v2: - don't crash on ->pte_hole==NULL (Andrew Morton) - add Cc stable (Andrew Morton) Fixes: 1e25a271c8ac ("mincore: apply page table walker on do_mincore()") Signed-off-by: Jann Horn <> Cc: <> Signed-off-by: Linus Torvalds <>
Diffstat (limited to 'mm/pagewalk.c')
1 files changed, 5 insertions, 1 deletions
diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index 8bd4afa83cb8..23a3e415ac2c 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -188,8 +188,12 @@ static int walk_hugetlb_range(unsigned long addr, unsigned long end,
do {
next = hugetlb_entry_end(h, addr, end);
pte = huge_pte_offset(walk->mm, addr & hmask, sz);
- if (pte && walk->hugetlb_entry)
+ if (pte)
err = walk->hugetlb_entry(pte, hmask, addr, next, walk);
+ else if (walk->pte_hole)
+ err = walk->pte_hole(addr, next, walk);
if (err)
} while (addr = next, addr != end);