Re: [PATCH] mm: Fix incorrect pfn passed to untrack_pfn in remap_pfn_range
From: Andrew Morton
Date: Fri Apr 22 2016 - 14:38:37 EST
On Fri, 22 Apr 2016 18:31:28 +0800 Yongji Xie <xyjxie@xxxxxxxxxxxxxxxxxx> wrote:
> We used generic hooks in remap_pfn_range to help archs to
> track pfnmap regions. The code is something like:
>
> int remap_pfn_range()
> {
> ...
> track_pfn_remap(vma, &prot, pfn, addr, PAGE_ALIGN(size));
> ...
> pfn -= addr >> PAGE_SHIFT;
> ...
> untrack_pfn(vma, pfn, PAGE_ALIGN(size));
> ...
> }
>
> Here we can easily find the pfn is changed but not recovered
> before untrack_pfn() is called. That's incorrect.
What are the runtime effects of this bug?
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -1755,6 +1755,7 @@ int remap_pfn_range(struct vm_area_struct *vma, unsigned long addr,
> break;
> } while (pgd++, addr = next, addr != end);
>
> + pfn += (end - PAGE_ALIGN(size)) >> PAGE_SHIFT;
> if (err)
> untrack_pfn(vma, pfn, PAGE_ALIGN(size));
I'm having trouble understanding this. Wouldn't it be better to simply
save the track_pfn_remap() call's `pfn' arg in a new local variable?