From: Al Viro Date: Wed, 20 Nov 2013 22:16:36 +0000 (+0000) Subject: Wrong page freed on preallocate_pmds() failure exit X-Git-Tag: firefly_0821_release~176^2~4914 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=2a46eed54a28c1e3de701ca4237ce4f8bebf14c6;p=firefly-linux-kernel-4.4.55.git Wrong page freed on preallocate_pmds() failure exit Note that pmds[i] is simply uninitialized at that point... Granted, it's very hard to hit (you need split page locks *and* kmalloc(sizeof(spinlock_t), GFP_KERNEL) failing), but the code is obviously bogus. Introduced by commit 09ef4939850a ("x86: add missed pgtable_pmd_page_ctor/dtor calls for preallocated pmds") Signed-off-by: Al Viro Cc: Kirill A. Shutemov Cc: Ingo Molnar Cc: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index a7cccb6d7fec..36aa999b2631 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -209,7 +209,7 @@ static int preallocate_pmds(pmd_t *pmds[]) if (!pmd) failed = true; if (pmd && !pgtable_pmd_page_ctor(virt_to_page(pmd))) { - free_page((unsigned long)pmds[i]); + free_page((unsigned long)pmd); pmd = NULL; failed = true; }