[15/15] slub: fix a possible memleak in __slab_alloc()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Zhihua Che <zhihua.che@gmail.com>,
	Eric Dumazet <eric.dumazet@gmail.com>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>
Subject: [15/15] slub: fix a possible memleak in __slab_alloc()
Date: Thu, 16 Feb 2012 16:55:24 -0800	[thread overview]
Message-ID: <20120217005511.894980544@linuxfoundation.org> (raw)
In-Reply-To: <20120217005650.GA17119@kroah.com>

3.0-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <eric.dumazet@gmail.com>

commit 73736e0387ba0e6d2b703407b4d26168d31516a7 upstream.

Zhihua Che reported a possible memleak in slub allocator on
CONFIG_PREEMPT=y builds.

It is possible current thread migrates right before disabling irqs in
__slab_alloc(). We must check again c->freelist, and perform a normal
allocation instead of scratching c->freelist.

Many thanks to Zhihua Che for spotting this bug, introduced in 2.6.39

V2: Its also possible an IRQ freed one (or several) object(s) and
populated c->freelist, so its not a CONFIG_PREEMPT only problem.

Reported-by: Zhihua Che <zhihua.che@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/slub.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1818,6 +1818,11 @@ static void *__slab_alloc(struct kmem_ca
 	if (unlikely(!node_match(c, node)))
 		goto another_slab;
 
+	/* must check again c->freelist in case of cpu migration or IRQ */
+	object = c->freelist;
+	if (object)
+		goto update_freelist;
+
 	stat(s, ALLOC_REFILL);
 
 load_freelist:
@@ -1827,6 +1832,7 @@ load_freelist:
 	if (kmem_cache_debug(s))
 		goto debug;
 
+update_freelist:
 	c->freelist = get_freepointer(s, object);
 	page->inuse = page->objects;
 	page->freelist = NULL;

     prev parent reply	other threads:[~2012-02-17  0:59 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-17  0:56 [00/15] 3.0.22-stable review Greg KH
2012-02-17  0:55 ` [01/15] perf evsel: Fix an issue where perf report fails to show the proper percentage Greg KH
2012-02-17  0:55 ` [02/15] perf tools: Fix perf stack to non executable on x86_64 Greg KH
2012-02-17  0:55 ` [03/15] drm/i915: no lvds quirk for AOpen MP45 Greg KH
2012-02-17  0:55 ` [04/15] hwmon: (f75375s) Fix bit shifting in f75375_write16 Greg KH
2012-02-17  0:55 ` [05/15] lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel Greg KH
2012-02-17  0:55 ` [06/15] relay: prevent integer overflow in relay_open() Greg KH
2012-02-17  0:55 ` [07/15] mac80211: timeout a single frame in the rx reorder buffer Greg KH
2012-02-17  0:55 ` [08/15] writeback: fix dereferencing NULL bdi->dev on trace_writeback_queue Greg KH
2012-02-17  0:55 ` [09/15] gpio/pca953x: Fix warning of enabled interrupts in handler Greg KH
2012-02-17  0:55 ` [10/15] hwmon: (f75375s) Fix automatic pwm mode setting for F75373 & F75375 Greg KH
2012-02-17  0:55 ` [11/15] crypto: sha512 - Use binary and instead of modulus Greg KH
2012-02-17  0:55   ` Greg KH
2012-02-17  0:55 ` [12/15] crypto: sha512 - Avoid stack bloat on i386 Greg KH
2012-02-17  0:55   ` Greg KH
2012-02-17  0:55 ` [13/15] ALSA: intel8x0: Fix default inaudible sound on Gateway M520 Greg KH
2012-02-17  0:55 ` [14/15] xen pvhvm: do not remap pirqs onto evtchns if !xen_have_vector_callback Greg KH
2012-02-17  0:55 ` Greg KH [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120217005511.894980544@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cl@linux.com \
    --cc=eric.dumazet@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=penberg@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=zhihua.che@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.