From: Ingo Molnar <mingo@elte.hu>
To: Vegard Nossum <vegard.nossum@gmail.com>
Cc: stable@kernel.org, Andrew Morton <akpm@linux-foundation.org>,
Nick Piggin <npiggin@suse.de>,
Pekka Enberg <penberg@cs.helsinki.fi>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm: fix lazy vmap purging (use-after-free error)
Date: Fri, 20 Feb 2009 17:01:57 +0100 [thread overview]
Message-ID: <20090220160157.GA11294@elte.hu> (raw)
In-Reply-To: <19f34abd0902200651k7e86aebay5398ef5ac0578561@mail.gmail.com>
* Vegard Nossum <vegard.nossum@gmail.com> wrote:
> 2009/2/20 Ingo Molnar <mingo@elte.hu>:
> >
> > * Ingo Molnar <mingo@elte.hu> wrote:
> >
> >> ah, indeed:
> >>
> >> list_del_rcu(&va->list);
> >>
> >> i suspect it could be hit big time in a workload that opens
> >> more than 512 files, as expand_files() uses a
> >> vmalloc()+vfree() pair in that case.
> >
> > hm, perhaps it's not a problem after all. The freeing is done
> > via rcu, and list_del_rcu() leaves the forward pointer intact.
>
> Well, it's not the particular line that you posted, in any case.
> That's &va->list, but the traversed list is &va->purge_list.
>
> I thought it would be the line:
>
> call_rcu(&va->rcu_head, rcu_free_va);
>
> (which does kfree() in the callback) that was the problem.
>
> >
> > So how did it happen that the entry got kfree()d before the loop
> > was done? We are in a spinlocked section so the CPU should not
> > have entered rcu processing.
>
> I added some printks to __free_vmap_area() and rcu_free_va(), and it
> shows that the kfree() is being called immediately (inside the list
> traversal). So the call_rcu() is happening immediately (or almost
> immediately).
>
> If I've understood correctly, the RCU processing can happen inside a
> spinlock, as long as interrupts are enabled. (Won't the timer IRQ
> trigger softirq processing, which triggers RCU callback processing,
> for example?)
>
> And interrupts are enabled when this happens: EFLAGS: 00000292
>
> Please correct me if I am wrong!
The timer irq will do RCU garbage-collection - but only of
entries where a grace period has passed.
Otherwise there would be no point in using RCU at all, if the
kfree() can happen immediately. RCU is about delaying action,
and doing it at a point in time when we sure are in a quiescent
state. (we have done a context-switch or scheduled to idle)
The question is, is this piece of loop traversal code
preemptible? I dont think it is since it's embedded in a
spinlock:
spin_lock(&vmap_area_lock);
- list_for_each_entry(va, &valist, purge_list)
+ list_for_each_entry_safe(va, n_va, &valist, purge_list)
__free_vmap_area(va);
spin_unlock(&vmap_area_lock);
[ on -rt this could be preemptible and this would be a real fix
there. I just dont see how the kfree() can execute on
mainline. Obviously it did, since you got the kmemcheck
assert. ]
Ingo
next prev parent reply other threads:[~2009-02-20 16:02 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-20 13:41 [PATCH] mm: fix lazy vmap purging (use-after-free error) Vegard Nossum
2009-02-20 13:50 ` Ingo Molnar
2009-02-20 13:58 ` Pekka Enberg
2009-02-20 14:01 ` Ingo Molnar
2009-02-20 14:18 ` Pekka Enberg
2009-02-20 15:41 ` Paul E. McKenney
2009-02-20 14:51 ` Vegard Nossum
2009-02-20 15:46 ` Paul E. McKenney
2009-02-20 16:04 ` Ingo Molnar
2009-02-20 16:44 ` Paul E. McKenney
2009-02-20 17:14 ` Ingo Molnar
2009-02-20 17:25 ` Paul E. McKenney
2009-02-20 23:51 ` Vegard Nossum
2009-02-21 1:40 ` Paul E. McKenney
2009-02-21 9:30 ` Vegard Nossum
2009-02-21 17:47 ` Paul E. McKenney
2009-02-21 18:08 ` Vegard Nossum
2009-02-21 18:33 ` Paul E. McKenney
2009-02-21 18:37 ` Vegard Nossum
2009-02-22 3:00 ` Paul E. McKenney
2009-02-23 5:17 ` Paul E. McKenney
2009-02-23 8:24 ` Vegard Nossum
2009-02-23 15:39 ` Paul E. McKenney
2009-02-23 9:07 ` Ingo Molnar
2009-02-23 9:17 ` Andrew Morton
2009-02-23 9:27 ` Ingo Molnar
2009-02-23 15:56 ` Paul E. McKenney
2009-02-23 13:29 ` Nick Piggin
2009-02-23 16:17 ` Paul E. McKenney
2009-02-23 17:20 ` Ingo Molnar
2009-02-23 19:10 ` Andrew Morton
2009-02-23 19:30 ` Paul E. McKenney
2009-02-23 19:59 ` Andrew Morton
2009-02-23 20:12 ` Paul E. McKenney
2009-02-23 20:30 ` Andrew Morton
2009-02-23 19:33 ` Ingo Molnar
2009-02-23 20:04 ` Andrew Morton
2009-02-23 20:09 ` Ingo Molnar
2009-02-23 20:44 ` Paul E. McKenney
2009-02-23 20:43 ` Paul E. McKenney
2009-02-24 3:23 ` Nick Piggin
2009-02-24 3:37 ` Paul E. McKenney
2009-02-21 19:21 ` Vegard Nossum
2009-02-20 16:01 ` Ingo Molnar [this message]
2009-02-20 16:49 ` Paul E. McKenney
2009-02-20 15:56 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090220160157.GA11294@elte.hu \
--to=mingo@elte.hu \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=npiggin@suse.de \
--cc=penberg@cs.helsinki.fi \
--cc=stable@kernel.org \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.