All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Ingo Molnar <mingo@elte.hu>,
	Thomas Gleixner <tglx@linutronix.de>, Andi Kleen <ak@suse.de>
Subject: [patch 15/19] x86: fix global_flush_tlb() bug
Date: Wed, 14 Nov 2007 22:15:10 -0800	[thread overview]
Message-ID: <20071115061510.GP7980@kroah.com> (raw)
In-Reply-To: <20071115061415.GA7980@kroah.com>

[-- Attachment #1: x86-fix-global_flush_tlb-bug.patch --]
[-- Type: text/plain, Size: 2180 bytes --]

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Ingo Molnar <mingo@elte.hu>

patch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream

While we were reviewing pageattr_32/64.c for unification,
Thomas Gleixner noticed the following serious SMP bug in
global_flush_tlb():

	down_read(&init_mm.mmap_sem);
	list_replace_init(&deferred_pages, &l);
	up_read(&init_mm.mmap_sem);

this is SMP-unsafe because list_replace_init() done on two CPUs in
parallel can corrupt the list.

This bug has been introduced about a year ago in the 64-bit tree:

       commit ea7322decb974a4a3e804f96a0201e893ff88ce3
       Author: Andi Kleen <ak@suse.de>
       Date:   Thu Dec 7 02:14:05 2006 +0100

       [PATCH] x86-64: Speed and clean up cache flushing in change_page_attr

                down_read(&init_mm.mmap_sem);
        -       dpage = xchg(&deferred_pages, NULL);
        +       list_replace_init(&deferred_pages, &l);
                up_read(&init_mm.mmap_sem);

the xchg() based version was SMP-safe, but list_replace_init() is not.
So this "cleanup" introduced a nasty bug.

why this bug never become prominent is a mystery - it can probably be
explained with the (still) relative obscurity of the x86_64 architecture.

the safe fix for now is to write-lock init_mm.mmap_sem.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andi Kleen <ak@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 arch/x86_64/mm/pageattr.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/arch/x86_64/mm/pageattr.c
+++ b/arch/x86_64/mm/pageattr.c
@@ -229,9 +229,14 @@ void global_flush_tlb(void)
 	struct page *pg, *next;
 	struct list_head l;
 
-	down_read(&init_mm.mmap_sem);
+	/*
+	 * Write-protect the semaphore, to exclude two contexts
+	 * doing a list_replace_init() call in parallel and to
+	 * exclude new additions to the deferred_pages list:
+	 */
+	down_write(&init_mm.mmap_sem);
 	list_replace_init(&deferred_pages, &l);
-	up_read(&init_mm.mmap_sem);
+	up_write(&init_mm.mmap_sem);
 
 	flush_map(&l);
 

-- 

  parent reply	other threads:[~2007-11-15  6:22 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20071115054813.977066477@mini.kroah.org>
2007-11-15  6:14 ` [patch 00/19] 2.6.23-stable review, arch specific stuff Greg KH
2007-11-15  6:14   ` [patch 01/19] Fix sparc64 niagara optimized RAID xor asm Greg KH
2007-11-15  6:14   ` [patch 02/19] Fix sparc64 MAP_FIXED handling of framebuffer mmaps Greg KH
2007-11-15  6:14   ` [patch 03/19] MIPS: MT: Fix bug in multithreaded kernels Greg KH
2007-11-15  6:14   ` [patch 04/19] MIPS: R1: Fix hazard barriers to make kernels work on R2 also Greg KH
2007-11-15  6:14   ` [patch 05/19] POWERPC: Fix handling of stfiwx math emulation Greg KH
2007-11-15  6:14   ` [patch 06/19] POWERPC: Make sure to of_node_get() the result of pci_device_to_OF_node() Greg KH
2007-11-15  6:14   ` [uml-devel] [patch 07/19] UML - Stop using libc asm/page.h Greg KH
2007-11-15  6:14     ` Greg KH
2007-11-15  6:14   ` [uml-devel] [patch 08/19] UML - Fix kernel vs libc symbols clash Greg KH
2007-11-15  6:14     ` Greg KH
2007-11-15  6:14   ` [uml-devel] [patch 09/19] UML - stop using libc asm/user.h Greg KH
2007-11-15  6:14     ` Greg KH
2007-11-15  6:14   ` [uml-devel] [patch 10/19] UML - kill subprocesses on exit Greg KH
2007-11-15  6:14     ` Greg KH
2007-11-15  6:14   ` [patch 11/19] xen: add batch completion callbacks Greg KH
2007-11-15  6:15   ` [patch 12/19] xen: deal with stale cr3 values when unpinning pagetables Greg KH
2007-11-15  6:15   ` [patch 13/19] xen: fix incorrect vcpu_register_vcpu_info hypercall argument Greg KH
2007-11-15  6:15   ` [patch 14/19] xfs: eagerly remove vmap mappings to avoid upsetting Xen Greg KH
2007-11-15  6:15   ` Greg KH [this message]
2007-11-15  6:15   ` [patch 16/19] x86 setup: handle boot loaders which set up the stack incorrectly Greg KH
2007-11-15  7:27     ` H. Peter Anvin
2007-11-15 16:42       ` Greg KH
2007-11-15  6:15   ` [patch 17/19] x86 setup: sizeof() is unsigned, unbreak comparisons Greg KH
2007-11-15  6:15   ` [patch 18/19] x86: fix TSC clock source calibration error Greg KH
2007-11-15  6:15   ` [patch 19/19] revert "x86_64: allocate sparsemem memmap above 4G" Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20071115061510.GP7980@kroah.com \
    --to=gregkh@suse.de \
    --cc=ak@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=mkrufky@linuxtv.org \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=stable@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=zwane@arm.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.