From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Mel Gorman <mgorman@suse.de>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Christoph Lameter <cl@linux.com>, Josh Boyer <jwboyer@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [ 101/122] mempolicy: fix a race in shared_policy_replace()
Date: Thu, 11 Oct 2012 07:54:27 +0900 [thread overview]
Message-ID: <20121010225356.229912538@linuxfoundation.org> (raw)
In-Reply-To: <20121010225337.989799482@linuxfoundation.org>
3.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mel Gorman <mgorman@suse.de>
commit b22d127a39ddd10d93deee3d96e643657ad53a49 upstream.
shared_policy_replace() use of sp_alloc() is unsafe. 1) sp_node cannot
be dereferenced if sp->lock is not held and 2) another thread can modify
sp_node between spin_unlock for allocating a new sp node and next
spin_lock. The bug was introduced before 2.6.12-rc2.
Kosaki's original patch for this problem was to allocate an sp node and
policy within shared_policy_replace and initialise it when the lock is
reacquired. I was not keen on this approach because it partially
duplicates sp_alloc(). As the paths were sp->lock is taken are not that
performance critical this patch converts sp->lock to sp->mutex so it can
sleep when calling sp_alloc().
[kosaki.motohiro@jp.fujitsu.com: Original patch]
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reviewed-by: Christoph Lameter <cl@linux.com>
Cc: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mempolicy.h | 2 +-
mm/mempolicy.c | 37 ++++++++++++++++---------------------
2 files changed, 17 insertions(+), 22 deletions(-)
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -188,7 +188,7 @@ struct sp_node {
struct shared_policy {
struct rb_root root;
- spinlock_t lock;
+ struct mutex mutex;
};
void mpol_shared_policy_init(struct shared_policy *sp, struct mempolicy *mpol);
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2083,7 +2083,7 @@ bool __mpol_equal(struct mempolicy *a, s
*/
/* lookup first element intersecting start-end */
-/* Caller holds sp->lock */
+/* Caller holds sp->mutex */
static struct sp_node *
sp_lookup(struct shared_policy *sp, unsigned long start, unsigned long end)
{
@@ -2147,13 +2147,13 @@ mpol_shared_policy_lookup(struct shared_
if (!sp->root.rb_node)
return NULL;
- spin_lock(&sp->lock);
+ mutex_lock(&sp->mutex);
sn = sp_lookup(sp, idx, idx+1);
if (sn) {
mpol_get(sn->policy);
pol = sn->policy;
}
- spin_unlock(&sp->lock);
+ mutex_unlock(&sp->mutex);
return pol;
}
@@ -2193,10 +2193,10 @@ static struct sp_node *sp_alloc(unsigned
static int shared_policy_replace(struct shared_policy *sp, unsigned long start,
unsigned long end, struct sp_node *new)
{
- struct sp_node *n, *new2 = NULL;
+ struct sp_node *n;
+ int ret = 0;
-restart:
- spin_lock(&sp->lock);
+ mutex_lock(&sp->mutex);
n = sp_lookup(sp, start, end);
/* Take care of old policies in the same range. */
while (n && n->start < end) {
@@ -2209,16 +2209,14 @@ restart:
} else {
/* Old policy spanning whole new range. */
if (n->end > end) {
+ struct sp_node *new2;
+ new2 = sp_alloc(end, n->end, n->policy);
if (!new2) {
- spin_unlock(&sp->lock);
- new2 = sp_alloc(end, n->end, n->policy);
- if (!new2)
- return -ENOMEM;
- goto restart;
+ ret = -ENOMEM;
+ goto out;
}
n->end = start;
sp_insert(sp, new2);
- new2 = NULL;
break;
} else
n->end = start;
@@ -2229,12 +2227,9 @@ restart:
}
if (new)
sp_insert(sp, new);
- spin_unlock(&sp->lock);
- if (new2) {
- mpol_put(new2->policy);
- kmem_cache_free(sn_cache, new2);
- }
- return 0;
+out:
+ mutex_unlock(&sp->mutex);
+ return ret;
}
/**
@@ -2252,7 +2247,7 @@ void mpol_shared_policy_init(struct shar
int ret;
sp->root = RB_ROOT; /* empty tree == default mempolicy */
- spin_lock_init(&sp->lock);
+ mutex_init(&sp->mutex);
if (mpol) {
struct vm_area_struct pvma;
@@ -2318,7 +2313,7 @@ void mpol_free_shared_policy(struct shar
if (!p->root.rb_node)
return;
- spin_lock(&p->lock);
+ mutex_lock(&p->mutex);
next = rb_first(&p->root);
while (next) {
n = rb_entry(next, struct sp_node, nd);
@@ -2327,7 +2322,7 @@ void mpol_free_shared_policy(struct shar
mpol_put(n->policy);
kmem_cache_free(sn_cache, n);
}
- spin_unlock(&p->lock);
+ mutex_unlock(&p->mutex);
}
/* assumes fs == KERNEL_DS */
next prev parent reply other threads:[~2012-10-11 0:25 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-10 22:52 [ 000/122] 3.6.2-stable review Greg Kroah-Hartman
2012-10-10 22:52 ` [ 001/122] mn10300: only add -mmem-funcs to KBUILD_CFLAGS if gcc supports it Greg Kroah-Hartman
2012-10-10 22:52 ` [ 002/122] kbuild: make: fix if_changed when command contains backslashes Greg Kroah-Hartman
2012-10-10 22:52 ` [ 003/122] kbuild: Do not package /boot and /lib in make tar-pkg Greg Kroah-Hartman
2012-10-10 22:52 ` [ 004/122] kbuild: Fix gcc -x syntax Greg Kroah-Hartman
2012-10-10 22:52 ` [ 005/122] i2c-piix4: Fix build failure Greg Kroah-Hartman
2012-10-10 22:52 ` [ 006/122] slab: fix the DEADLOCK issue on l3 alien lock Greg Kroah-Hartman
2012-10-10 22:52 ` [ 007/122] powerpc/iommu: Fix multiple issues with IOMMU pools code Greg Kroah-Hartman
2012-10-10 22:52 ` [ 008/122] intel-iommu: Default to non-coherent for domains unattached to iommus Greg Kroah-Hartman
2012-10-10 22:52 ` [ 009/122] ARM: 7548/1: include linux/sched.h in syscall.h Greg Kroah-Hartman
2012-10-10 22:52 ` [ 010/122] em28xx: Make all em28xx extensions to be initialized asynchronously Greg Kroah-Hartman
2012-10-10 22:52 ` [ 011/122] media: rc: ite-cir: Initialise ite_dev::rdev earlier Greg Kroah-Hartman
2012-10-10 22:52 ` [ 012/122] media: gspca_pac7302: add support for device 1ae7:2001 Speedlink Snappy Microphone SL-6825-SBK Greg Kroah-Hartman
2012-10-10 22:52 ` [ 013/122] media: gspca_pac7302: make red balance and blue balance controls work again Greg Kroah-Hartman
2012-10-10 22:53 ` [ 014/122] ACPI: run _OSC after ACPI_FULL_INITIALIZATION Greg Kroah-Hartman
2012-10-10 22:53 ` [ 016/122] mfd: 88pm860x: Move _IO resources out of ioport_ioresource Greg Kroah-Hartman
2012-10-10 22:53 ` [ 017/122] lib/gcd.c: prevent possible div by 0 Greg Kroah-Hartman
2012-10-10 22:53 ` [ 018/122] kernel/sys.c: call disable_nonboot_cpus() in kernel_restart() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 019/122] drivers/scsi/atp870u.c: fix bad use of udelay Greg Kroah-Hartman
2012-10-10 22:53 ` [ 020/122] drivers/dma/dmaengine.c: lower the priority of failed to get dma channel message Greg Kroah-Hartman
2012-10-10 22:53 ` [ 021/122] lguest: fix occasional crash in example launcher Greg Kroah-Hartman
2012-10-10 22:53 ` [ 022/122] powerpc: Fix VMX fix for memcpy case Greg Kroah-Hartman
2012-10-10 22:53 ` [ 023/122] powerpc/eeh: Fix crash on converting OF node to edev Greg Kroah-Hartman
2012-10-10 22:53 ` [ 024/122] ixgbe: fix PTP ethtool timestamping function Greg Kroah-Hartman
2012-10-10 22:53 ` [ 025/122] drxk: allow loading firmware synchrousnously Greg Kroah-Hartman
2012-10-10 22:53 ` [ 026/122] rapidio/rionet: fix multicast packet transmit logic Greg Kroah-Hartman
2012-10-10 22:53 ` [ 027/122] PM / Sleep: use resume event when call dpm_resume_early Greg Kroah-Hartman
2012-10-10 22:53 ` [ 028/122] workqueue: add missing smp_wmb() in process_one_work() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 029/122] workqueue: fix possible stall on try_to_grab_pending() of a delayed work item Greg Kroah-Hartman
2012-10-10 22:53 ` [ 030/122] jbd2: dont write superblock when if its empty Greg Kroah-Hartman
2012-10-10 22:53 ` [ 031/122] localmodconfig: Fix localyesconfig to set to y not m Greg Kroah-Hartman
2012-10-10 22:53 ` [ 032/122] ipv4: add a fib_type to fib_info Greg Kroah-Hartman
2012-10-10 22:53 ` [ 033/122] 8021q: fix mac_len recomputation in vlan_untag() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 034/122] ipv6: release reference of ip6_null_entrys dst entry in __ip6_del_rt Greg Kroah-Hartman
2012-10-10 22:53 ` [ 035/122] net: ethernet: davinci_cpdma: decrease the desc count when cleaning up the remaining packets Greg Kroah-Hartman
2012-10-10 22:53 ` [ 036/122] ipv6: del unreachable route when an addr is deleted on lo Greg Kroah-Hartman
2012-10-10 22:53 ` [ 037/122] drm/savage: re-add busmaster enable, regression fix Greg Kroah-Hartman
2012-10-10 22:53 ` [ 038/122] SCSI: zfcp: Adapt to new FC_PORTSPEED semantics Greg Kroah-Hartman
2012-10-10 22:53 ` [ 039/122] SCSI: zfcp: Make trace record tags unique Greg Kroah-Hartman
2012-10-10 22:53 ` [ 040/122] SCSI: zfcp: Bounds checking for deferred error trace Greg Kroah-Hartman
2012-10-10 22:53 ` [ 041/122] SCSI: zfcp: Do not wakeup while suspended Greg Kroah-Hartman
2012-10-10 22:53 ` [ 042/122] SCSI: zfcp: remove invalid reference to list iterator variable Greg Kroah-Hartman
2012-10-10 22:53 ` [ 043/122] SCSI: zfcp: restore refcount check on port_remove Greg Kroah-Hartman
2012-10-10 22:53 ` [ 044/122] SCSI: zfcp: only access zfcp_scsi_dev for valid scsi_device Greg Kroah-Hartman
2012-10-10 22:53 ` [ 045/122] PCI: Check P2P bridge for invalid secondary/subordinate range Greg Kroah-Hartman
2012-10-10 22:53 ` [ 046/122] ext4: ignore last group w/o enough space when resizing instead of BUGing Greg Kroah-Hartman
2012-10-10 22:53 ` [ 047/122] ext4: dont copy non-existent gdt blocks when resizing Greg Kroah-Hartman
2012-10-10 22:53 ` [ 048/122] ext4: avoid duplicate writes of the backup bg descriptor blocks Greg Kroah-Hartman
2012-10-10 22:53 ` [ 049/122] ext4: fix potential deadlock in ext4_nonda_switch() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 050/122] ext4: fix crash when accessing /proc/mounts concurrently Greg Kroah-Hartman
2012-10-10 22:53 ` [ 051/122] ext4: move_extent code cleanup Greg Kroah-Hartman
2012-10-10 22:53 ` [ 052/122] ext4: online defrag is not supported for journaled files Greg Kroah-Hartman
2012-10-10 22:53 ` [ 053/122] ext4: always set i_op in ext4_mknod() Greg Kroah-Hartman
2012-10-10 22:53 ` [ 054/122] ext4: fix fdatasync() for files with only i_size changes Greg Kroah-Hartman
2012-10-10 22:53 ` [ 055/122] ext4: fix mtime update in nodelalloc mode Greg Kroah-Hartman
2012-10-10 22:53 ` [ 056/122] ASoC: wm_hubs: Ensure volume updates are handled during class W startup Greg Kroah-Hartman
2012-10-10 22:53 ` [ 057/122] ASoC: wm5110: Adding missing volume update bits Greg Kroah-Hartman
2012-10-10 22:53 ` [ 058/122] ASoC: wm9712: Fix name of Capture Switch Greg Kroah-Hartman
2012-10-10 22:53 ` [ 059/122] kpageflags: fix wrong KPF_THP on non-huge compound pages Greg Kroah-Hartman
2012-10-10 22:53 ` [ 060/122] hugetlb: do not use vma_hugecache_offset() for vma_prio_tree_foreach Greg Kroah-Hartman
2012-10-10 22:53 ` [ 061/122] mm: fix invalidate_complete_page2() lock ordering Greg Kroah-Hartman
2012-10-10 22:53 ` [ 062/122] mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP Greg Kroah-Hartman
2012-10-10 22:53 ` [ 063/122] MIPS: ath79: use correct fractional dividers for {CPU,DDR}_PLL on AR934x Greg Kroah-Hartman
2012-10-10 22:53 ` [ 064/122] drm/i915: prevent possible pin leak on error path Greg Kroah-Hartman
2012-10-10 22:53 ` [ 065/122] drm/i915: make sure we write all the DIP data bytes Greg Kroah-Hartman
2012-10-10 22:53 ` [ 066/122] ALSA: hda - Add inverted internal mic quirk for Lenovo IdeaPad U310 Greg Kroah-Hartman
2012-10-10 22:53 ` [ 067/122] ALSA: aloop - add locking to timer access Greg Kroah-Hartman
2012-10-10 22:53 ` [ 068/122] ALSA: hda/via - dont report presence on HPs with no presence support Greg Kroah-Hartman
2012-10-10 22:53 ` [ 069/122] ALSA: hda/realtek - Fix detection of ALC271X codec Greg Kroah-Hartman
2012-10-10 22:53 ` [ 070/122] ALSA: hda - limit internal mic boost for Asus X202E Greg Kroah-Hartman
2012-10-10 22:53 ` [ 071/122] ALSA: usb - disable broken hw volume for Tenx TP6911 Greg Kroah-Hartman
2012-10-10 22:53 ` [ 072/122] ALSA: snd-usb: Add quirks for Playback Designs devices Greg Kroah-Hartman
2012-10-10 22:53 ` [ 073/122] ALSA: USB: Support for (original) Xbox Communicator Greg Kroah-Hartman
2012-10-10 22:54 ` [ 074/122] ALSA: hda - Add another pci id for Haswell board Greg Kroah-Hartman
2012-10-10 22:54 ` [ 075/122] ALSA: hda - use LPIB for delay estimation Greg Kroah-Hartman
2012-10-10 22:54 ` [ 076/122] drm/nvc0/fence: restore pre-suspend fence buffer context on resume Greg Kroah-Hartman
2012-10-10 22:54 ` [ 077/122] drm: Destroy the planes prior to destroying the associated CRTC Greg Kroah-Hartman
2012-10-10 22:54 ` [ 078/122] drm/radeon: only adjust default clocks on NI GPUs Greg Kroah-Hartman
2012-10-10 22:54 ` [ 079/122] drm/radeon/kms: allow STRMOUT_BASE_UPDATE on RS780 and RS880 Greg Kroah-Hartman
2012-10-10 22:54 ` [ 080/122] drm/radeon: allow MIP_ADDRESS=0 for MSAA textures on Evergreen Greg Kroah-Hartman
2012-10-10 22:54 ` [ 081/122] drm/radeon: Add MSI quirk for gateway RS690 Greg Kroah-Hartman
2012-10-10 22:54 ` [ 082/122] drm/radeon: force MSIs on RS690 asics Greg Kroah-Hartman
2012-10-10 22:54 ` [ 083/122] HID: hidraw: dont deallocate memory when it is in use Greg Kroah-Hartman
2012-10-10 22:54 ` [ 084/122] drm/i915: Flush the pending flips on the CRTC before modification Greg Kroah-Hartman
2012-10-10 22:54 ` [ 085/122] drm/i915: call drm_handle_vblank before finish_page_flip Greg Kroah-Hartman
2012-10-10 22:54 ` [ 086/122] drm/i915: Fix GT_MODE default value Greg Kroah-Hartman
2012-10-10 22:54 ` [ 087/122] ia64: Add missing RCU idle APIs on idle loop Greg Kroah-Hartman
2012-10-10 22:54 ` [ 088/122] h8300: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 089/122] parisc: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 090/122] xtensa: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 091/122] frv: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 092/122] mn10300: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 093/122] m68k: " Greg Kroah-Hartman
2012-10-10 22:54 ` Greg Kroah-Hartman
2012-10-10 22:54 ` [ 094/122] alpha: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 095/122] cris: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 096/122] m32r: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 097/122] score: " Greg Kroah-Hartman
2012-10-10 22:54 ` [ 098/122] rcu: Fix day-one dyntick-idle stall-warning bug Greg Kroah-Hartman
2012-10-10 22:54 ` [ 099/122] revert "mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages" Greg Kroah-Hartman
2012-10-10 22:54 ` [ 100/122] mempolicy: remove mempolicy sharing Greg Kroah-Hartman
2012-10-10 22:54 ` Greg Kroah-Hartman [this message]
2012-10-10 22:54 ` [ 102/122] mempolicy: fix refcount leak in mpol_set_shared_policy() Greg Kroah-Hartman
2012-10-10 22:54 ` [ 103/122] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma() Greg Kroah-Hartman
2012-10-10 22:54 ` [ 104/122] efi: Build EFI stub with EFI-appropriate options Greg Kroah-Hartman
2012-10-10 22:54 ` [ 105/122] efi: initialize efi.runtime_version to make query_variable_info/update_capsule workable Greg Kroah-Hartman
2012-10-10 22:54 ` [ 106/122] em28xx: regression fix: use DRX-K sync firmware requests on em28xx Greg Kroah-Hartman
2012-10-10 22:54 ` [ 107/122] sched: Fix load avg vs. cpu-hotplug Greg Kroah-Hartman
2012-10-10 22:54 ` [ 108/122] asix: Adds support for Lenovo 10/100 USB dongle Greg Kroah-Hartman
2012-10-10 22:54 ` [ 109/122] ALSA: hda - Fix hang caused by race during suspend Greg Kroah-Hartman
2012-10-10 22:54 ` [ 110/122] mtd: mtdpart: break it as soon as we parse out the partitions Greg Kroah-Hartman
2012-10-10 22:54 ` [ 111/122] mtd: autcpu12-nvram: Fix compile breakage Greg Kroah-Hartman
2012-10-10 22:54 ` [ 112/122] mtd: nandsim: bugfix: fail if overridesize is too big Greg Kroah-Hartman
2012-10-10 22:54 ` [ 113/122] mtd: nand: Use the mirror BBT descriptor when reading its version Greg Kroah-Hartman
2012-10-10 22:54 ` [ 114/122] mtd: omap2: fix omap_nand_remove segfault Greg Kroah-Hartman
2012-10-10 22:54 ` [ 115/122] mtd: omap2: fix module loading Greg Kroah-Hartman
2012-10-10 22:54 ` [ 116/122] mmc: omap_hsmmc: Pass on the suspend failure to the PM core Greg Kroah-Hartman
2012-10-10 22:54 ` [ 117/122] mmc: slot-gpio: Fix missing assignment to ctx->ro_gpio Greg Kroah-Hartman
2012-10-10 22:54 ` [ 118/122] mmc: sh-mmcif: avoid oops on spurious interrupts Greg Kroah-Hartman
2012-10-10 22:54 ` [ 119/122] JFFS2: fix unmount regression Greg Kroah-Hartman
2012-10-10 22:54 ` [ 120/122] JFFS2: dont fail on bitflips in OOB Greg Kroah-Hartman
2012-10-10 22:54 ` [ 121/122] cifs: reinstate the forcegid option Greg Kroah-Hartman
2012-10-10 22:54 ` [ 122/122] Convert properly UTF-8 to UTF-16 Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121010225356.229912538@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cl@linux.com \
--cc=jwboyer@gmail.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.