From 2a46eed54a28c1e3de701ca4237ce4f8bebf14c6 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Wed, 20 Nov 2013 22:16:36 +0000 Subject: [PATCH] Wrong page freed on preallocate_pmds() failure exit Note that pmds[i] is simply uninitialized at that point... Granted, it's very hard to hit (you need split page locks *and* kmalloc(sizeof(spinlock_t), GFP_KERNEL) failing), but the code is obviously bogus. Introduced by commit 09ef4939850a ("x86: add missed pgtable_pmd_page_ctor/dtor calls for preallocated pmds") Signed-off-by: Al Viro Cc: Kirill A. Shutemov Cc: Ingo Molnar Cc: Andrew Morton Signed-off-by: Linus Torvalds --- arch/x86/mm/pgtable.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index a7cccb6d7fec..36aa999b2631 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -209,7 +209,7 @@ static int preallocate_pmds(pmd_t *pmds[]) if (!pmd) failed = true; if (pmd && !pgtable_pmd_page_ctor(virt_to_page(pmd))) { - free_page((unsigned long)pmds[i]); + free_page((unsigned long)pmd); pmd = NULL; failed = true; }