mm: hugetlb: fix dissolve_free_huge_page use of tail/head page

The routine dissolve_free_huge_page can be passed the tail page of a
hugetlb page.  The tail page is incorrectly passed on to the routines
alloc_huge_page_vmemmap and add_hugetlb_page which expect a hugetlb head
page.

Operating on a tail page instead of head page could result in addressing
exceptions or vmemmap corruption.

Link: https://lkml.kernel.org/r/20210527231225.226987-1-mike.kravetz@oracle.com
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Naoya Horiguchi <naoya.horiguchi@nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 7d64000ec784920f7a10c07f3100b8dc96beff3b..fffa8c3334a13a4f96a17814685756707f631c1f 100644 (file)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -1915,7 +1915,7 @@ retry:
                 * Attempt to allocate vmemmmap here so that we can take
                 * appropriate action on failure.
                 */
-               rc = alloc_huge_page_vmemmap(h, page);
+               rc = alloc_huge_page_vmemmap(h, head);
                if (!rc) {
                        /*
                         * Move PageHWPoison flag from head page to the raw
@@ -1929,7 +1929,7 @@ retry:
                        update_and_free_page(h, head, false);
                } else {
                        spin_lock_irq(&hugetlb_lock);
-                       add_hugetlb_page(h, page, false);
+                       add_hugetlb_page(h, head, false);
                        h->max_huge_pages++;
                        spin_unlock_irq(&hugetlb_lock);
                }