memory leak with RCU_TABLE_FREE

commit e73b7fffe487c315fd1a4fa22282e3362b440a06 upstream.

The rcu page table free code uses a couple of bits in the page table
pointer passed to tlb_remove_table to discern the different page table
types. __tlb_remove_table extracts the type with an incorrect mask which
leads to memory leaks. The correct mask is ((FRAG_MASK << 4) | FRAG_MASK).

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c
index 37a23c22370576415441e7542728b79a233f2f58..458893f5f6b8a4b40757db4ba0819a14525d8b6a 100644 (file)
--- a/arch/s390/mm/pgtable.c
+++ b/arch/s390/mm/pgtable.c
@@ -291,8 +291,9 @@ void page_table_free_rcu(struct mmu_gather *tlb, unsigned long *table)
 
 void __tlb_remove_table(void *_table)
 {
-       void *table = (void *)((unsigned long) _table & PAGE_MASK);
-       unsigned type = (unsigned long) _table & ~PAGE_MASK;
+       const unsigned long mask = (FRAG_MASK << 4) | FRAG_MASK;
+       void *table = (void *)((unsigned long) _table & ~mask);
+       unsigned type = (unsigned long) _table & mask;
 
        if (type)
                __page_table_free_rcu(table, type);