diff for duplicates of <20150812143509.GA12320@node.dhcp.inet.fi> diff --git a/a/1.txt b/N1/1.txt index c11ff9b..8ec283e 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -6,3 +6,56 @@ On Thu, Aug 06, 2015 at 12:24:22PM -0700, Hugh Dickins wrote: I haven't finished the exercise yet. But here's an issue I believe present in current *Linus* tree: + +>From e78eec7d7a8c4cba8b5952a997973f7741e704f4 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> +Date: Wed, 12 Aug 2015 17:09:16 +0300 +Subject: [PATCH] mm: fix potential race in isolate_migratepages_block() + +Hugh has pointed that compound_head() call can be unsafe in some context. +There's one example: + + CPU0 CPU1 + +isolate_migratepages_block() + page_count() + compound_head() + !!PageTail() == true + put_page() + tail->first_page = NULL + head = tail->first_page + alloc_pages(__GFP_COMP) + prep_compound_page() + tail->first_page = head + __SetPageTail(p); + !!PageTail() == true + <head == NULL dereferencing> + +The race is pure theoretical. I don't it's possible to trigger it in +practice. But who knows. + +This can be fixed by avoiding compound_head() in unsafe context. + +Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> +Cc: Hugh Dickins <hughd@google.com> +Cc: David Rientjes <rientjes@google.com> +Cc: Vlastimil Babka <vbabka@suse.cz> +--- + mm/compaction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/compaction.c b/mm/compaction.c +index 86f04e556f96..bec727b700d3 100644 +--- a/mm/compaction.c ++++ b/mm/compaction.c +@@ -787,7 +787,7 @@ isolate_migratepages_block(struct compact_control *cc, unsigned long low_pfn, + * admittedly racy check. + */ + if (!page_mapping(page) && +- page_count(page) > page_mapcount(page)) ++ atomic_read(&page->_count) > page_mapcount(page)) + continue; + + /* If we already hold the lock, we can skip some rechecking */ +-- + Kirill A. Shutemov diff --git a/a/content_digest b/N1/content_digest index bedc8e7..caa9b16 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -33,6 +33,59 @@ "> Please.\n" "\n" "I haven't finished the exercise yet. But here's an issue I believe present\n" - in current *Linus* tree: + "in current *Linus* tree:\n" + "\n" + ">From e78eec7d7a8c4cba8b5952a997973f7741e704f4 Mon Sep 17 00:00:00 2001\n" + "From: \"Kirill A. Shutemov\" <kirill.shutemov@linux.intel.com>\n" + "Date: Wed, 12 Aug 2015 17:09:16 +0300\n" + "Subject: [PATCH] mm: fix potential race in isolate_migratepages_block()\n" + "\n" + "Hugh has pointed that compound_head() call can be unsafe in some context.\n" + "There's one example:\n" + "\n" + "\tCPU0\t\t\t\t\tCPU1\n" + "\n" + "isolate_migratepages_block()\n" + " page_count()\n" + " compound_head()\n" + " !!PageTail() == true\n" + "\t\t\t\t\tput_page()\n" + "\t\t\t\t\t tail->first_page = NULL\n" + " head = tail->first_page\n" + "\t\t\t\t\talloc_pages(__GFP_COMP)\n" + "\t\t\t\t\t prep_compound_page()\n" + "\t\t\t\t\t tail->first_page = head\n" + "\t\t\t\t\t __SetPageTail(p);\n" + " !!PageTail() == true\n" + " <head == NULL dereferencing>\n" + "\n" + "The race is pure theoretical. I don't it's possible to trigger it in\n" + "practice. But who knows.\n" + "\n" + "This can be fixed by avoiding compound_head() in unsafe context.\n" + "\n" + "Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>\n" + "Cc: Hugh Dickins <hughd@google.com>\n" + "Cc: David Rientjes <rientjes@google.com>\n" + "Cc: Vlastimil Babka <vbabka@suse.cz>\n" + "---\n" + " mm/compaction.c | 2 +-\n" + " 1 file changed, 1 insertion(+), 1 deletion(-)\n" + "\n" + "diff --git a/mm/compaction.c b/mm/compaction.c\n" + "index 86f04e556f96..bec727b700d3 100644\n" + "--- a/mm/compaction.c\n" + "+++ b/mm/compaction.c\n" + "@@ -787,7 +787,7 @@ isolate_migratepages_block(struct compact_control *cc, unsigned long low_pfn,\n" + " \t\t * admittedly racy check.\n" + " \t\t */\n" + " \t\tif (!page_mapping(page) &&\n" + "-\t\t page_count(page) > page_mapcount(page))\n" + "+\t\t atomic_read(&page->_count) > page_mapcount(page))\n" + " \t\t\tcontinue;\n" + " \n" + " \t\t/* If we already hold the lock, we can skip some rechecking */\n" + "-- \n" + Kirill A. Shutemov -f255bcdb8445bed55e55bbd01b4a307b0dd6ea4f5fc952f2d4d2d54416228795 +782bee27de7e43893574b94463a9ff0236ebd5cc5277776f00fa1edd93487877
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.