From: Andrew Morton <akpm@linux-foundation.org>
To: Pravin B Shelar <pshelar@nicira.com>
Cc: cl@linux.com, penberg@kernel.org, aarcange@redhat.com,
linux-mm@kvack.org, abhide@nicira.com
Subject: Re: [Resend PATCH v2] mm: Fix slab->page _count corruption.
Date: Fri, 8 Jun 2012 13:10:45 -0700 [thread overview]
Message-ID: <20120608131045.90708bda.akpm@linux-foundation.org> (raw)
In-Reply-To: <1338405610-1788-1-git-send-email-pshelar@nicira.com>
On Wed, 30 May 2012 12:20:10 -0700
Pravin B Shelar <pshelar@nicira.com> wrote:
> On arches that do not support this_cpu_cmpxchg_double slab_lock is used
> to do atomic cmpxchg() on double word which contains page->_count.
> page count can be changed from get_page() or put_page() without taking
> slab_lock. That corrupts page counter.
>
> Following patch fixes it by moving page->_count out of cmpxchg_double
> data. So that slub does no change it while updating slub meta-data in
> struct page.
>
> Reported-by: Amey Bhide <abhide@nicira.com>
> Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
> Acked-by: Christoph Lameter <cl@linux.com>
> ---
> include/linux/mm_types.h | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
> index 18b48c4..e54a6b0 100644
> --- a/include/linux/mm_types.h
> +++ b/include/linux/mm_types.h
> @@ -57,8 +57,16 @@ struct page {
> };
>
> union {
> +#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
> + defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
> /* Used for cmpxchg_double in slub */
> unsigned long counters;
> +#else
> + /* Keep _count separate from slub cmpxchg_double data,
> + * As rest of double word is protected by slab_lock
> + * but _count is not. */
> + unsigned counters;
> +#endif
>
> struct {
OK. I assume this bug has been there for quite some time.
How serious is it? Have people been reporting it in real workloads?
How to trigger it? IOW, does this need -stable backporting?
Also, someone forgot to document these:
struct {
unsigned inuse:16;
unsigned objects:15;
unsigned frozen:1;
};
pls fix.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2012-06-08 20:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-30 19:20 [Resend PATCH v2] mm: Fix slab->page _count corruption Pravin B Shelar
2012-06-08 20:10 ` Andrew Morton [this message]
2012-06-08 20:15 ` Christoph Lameter
2012-06-08 20:23 ` Pravin Shelar
2012-06-08 21:19 ` Andrew Morton
2012-06-11 18:31 ` Pravin Shelar
2012-06-08 20:32 ` Andrew Morton
2012-06-08 21:25 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120608131045.90708bda.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=aarcange@redhat.com \
--cc=abhide@nicira.com \
--cc=cl@linux.com \
--cc=linux-mm@kvack.org \
--cc=penberg@kernel.org \
--cc=pshelar@nicira.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.