From: David Gibson The powerpc specific version of hugetlb_get_unmapped_area() makes some unwarranted assumptions about what checks have been made to its parameters by its callers. This will lead to a BUG_ON() if a 32-bit process attempts to make a hugepage mapping which extends above TASK_SIZE (4GB). I'm not sure if these assumptions came about because they were valid with earlier versions of the get_unmapped_area() path, or if it was always broken. Nonetheless this patch fixes the logic, and removes the crash. Signed-off-by: David Gibson Signed-off-by: Andrew Morton --- arch/powerpc/mm/hugetlbpage.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff -puN arch/powerpc/mm/hugetlbpage.c~fix-bogus-bug_on-in-in-hugetlb_get_unmapped_area arch/powerpc/mm/hugetlbpage.c --- a/arch/powerpc/mm/hugetlbpage.c~fix-bogus-bug_on-in-in-hugetlb_get_unmapped_area +++ a/arch/powerpc/mm/hugetlbpage.c @@ -744,7 +744,8 @@ static int htlb_check_hinted_area(unsign struct vm_area_struct *vma; vma = find_vma(current->mm, addr); - if (!vma || ((addr + len) <= vma->vm_start)) + if (TASK_SIZE - len >= addr && + (!vma || ((addr + len) <= vma->vm_start))) return 0; return -ENOMEM; @@ -815,6 +816,8 @@ unsigned long hugetlb_get_unmapped_area( return -EINVAL; if (len & ~HPAGE_MASK) return -EINVAL; + if (len > TASK_SIZE) + return -ENOMEM; if (!cpu_has_feature(CPU_FTR_16M_PAGE)) return -EINVAL; @@ -823,9 +826,6 @@ unsigned long hugetlb_get_unmapped_area( BUG_ON((addr + len) < addr); if (test_thread_flag(TIF_32BIT)) { - /* Paranoia, caller should have dealt with this */ - BUG_ON((addr + len) > 0x100000000UL); - curareas = current->mm->context.low_htlb_areas; /* First see if we can use the hint address */ _