Re: BUG: Use after free in free_huge_page()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrew Hastings <abh@cray.com>
To: Mel Gorman <mel@csn.ul.ie>
Cc: Adam Litke <agl@us.ibm.com>, "linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: BUG: Use after free in free_huge_page()
Date: Wed, 07 Apr 2010 13:20:51 -0500	[thread overview]
Message-ID: <4BBCCD03.1020105@cray.com> (raw)
In-Reply-To: <20100330111855.GC15466@csn.ul.ie>

Mel Gorman wrote:
> On Thu, Mar 25, 2010 at 12:18:05AM -0500, Andrew Hastings wrote:
>> It seems to me that hugetlbfs ought to take an extra reference on the vma
>> or vm_file or f_mapping or _something_ if vma->vm_file->f_mapping is needed
>> by free_huge_page().
> 
> Again, I haven't looked closely at this but a reference count on the VMA
> wouldn't help. After all, the VMAs have already been cleared up and the
> page tables. As far as the code is concerned, that file is no longer in
> use. I'd also not try reference counting during get_user_pages and
> someohw releasing that count later. Too much mess.
> 
> The most likely avenue is to store a reference to the superblock instead
> of the mapping in page->private which is what put_quota is really
> interested in. There might still be a race there if hugetlbfs managed to
> get unmounted before the pages were freed though - not 100% sure.

The hugetlbfs_sb_info struct that holds the quota is allocated separately from
the superblock.  Would it make sense for page->private to point directly to
hugetlbfs_sb_info, and reference count hugetlbfs_sb_info instead?  Seems like
this would avoid the unmount race.

-Andrew Hastings
 Cray Inc.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

     prev parent reply	other threads:[~2010-04-07 18:21 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-22 20:28 BUG: Use after free in free_huge_page() Andrew Hastings
2010-03-23 14:02 ` Adam Litke
2010-03-23 17:56   ` Mel Gorman
2010-03-25  5:18     ` Andrew Hastings
2010-03-30 11:18       ` Mel Gorman
2010-04-07 18:20         ` Andrew Hastings [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4BBCCD03.1020105@cray.com \
    --to=abh@cray.com \
    --cc=agl@us.ibm.com \
    --cc=linux-mm@kvack.org \
    --cc=mel@csn.ul.ie \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.