mm, hwpoison: fix page refcnt leaking in try_memory_failure_hugetlb()

Patch series "A few fixup patches for memory-failure", v2.

This series contains a few fixup patches to fix incorrect update of page
refcnt, fix possible use-after-free issue and so on.  More details can be
found in the respective changelogs.

This patch (of 6):

When hwpoison_filter() refuses to hwpoison a hugetlb page, the refcnt of
the page would have been incremented if res == 1.  Using put_page() to fix
the refcnt leaking in this case.

Link: https://lkml.kernel.org/r/20220823032346.4260-1-linmiaohe@huawei.com
Link: https://lkml.kernel.org/r/20220818130016.45313-1-linmiaohe@huawei.com
Link: https://lkml.kernel.org/r/20220818130016.45313-2-linmiaohe@huawei.com
Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/mm/memory-failure.c b/mm/memory-failure.c
index 0dfed9d7b273f25bb54e15b82d643b19b15bf2a4..3f98fa2ac6cf591af7c0ef9e3bf359dac9e78ce6 100644 (file)
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1860,8 +1860,10 @@ retry:
 
        if (hwpoison_filter(p)) {
                hugetlb_clear_page_hwpoison(head);
-               res = -EOPNOTSUPP;
-               goto out;
+               unlock_page(head);
+               if (res == 1)
+                       put_page(head);
+               return -EOPNOTSUPP;
        }
 
        /*