From: Pan Xinhui <xinhuix.pan@intel.com>
To: Borislav Petkov <bp@suse.de>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
tglx@linutronix.de, mingo@redhat.com, hpa@zytor.com,
x86@kernel.org, toshi.kani@hp.com, jgross@suse.com,
mcgrof@suse.com, "mnipxh@163.com" <mnipxh@163.com>
Subject: Re: [PATCH] x86/mm/pat: Do a small optimization in reserve_memtype
Date: Tue, 21 Jul 2015 15:32:50 +0800 [thread overview]
Message-ID: <55ADF5A2.1020005@intel.com> (raw)
In-Reply-To: <20150721065555.GB520@nazgul.tnic>
hi, Borislav
thanks for your reply :)
On 2015年07月21日 14:55, Borislav Petkov wrote:
> On Tue, Jul 21, 2015 at 02:29:35PM +0800, Pan Xinhui wrote:
>> From: Pan Xinhui <xinhuix.pan@intel.com>
>>
>> It's safe and more reasonable to unlock memtype_lock right after
>> rbt_memtype_check_insert.
>>
>> Signed-off-by: Pan Xinhui <xinhuix.pan@intel.com>
>> ---
>> arch/x86/mm/pat.c | 7 ++-----
>> 1 file changed, 2 insertions(+), 5 deletions(-)
>>
>> diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
>> index 188e3e0..cb75639 100644
>> --- a/arch/x86/mm/pat.c
>> +++ b/arch/x86/mm/pat.c
>> @@ -538,20 +538,17 @@ int reserve_memtype(u64 start, u64 end, enum page_cache_mode req_type,
>> new->type = actual_type;
>>
>> spin_lock(&memtype_lock);
>> -
>> err = rbt_memtype_check_insert(new, new_type);
>> + spin_unlock(&memtype_lock);
>> +
>> if (err) {
>> pr_info("x86/PAT: reserve_memtype failed [mem %#010Lx-%#010Lx], track %s, req %s\n",
>> start, end - 1,
>> cattr_name(new->type), cattr_name(req_type));
>> kfree(new);
>> - spin_unlock(&memtype_lock);
>> -
>> return err;
>> }
>>
>> - spin_unlock(&memtype_lock);
>> -
>> dprintk("reserve_memtype added [mem %#010Lx-%#010Lx], track %s, req %s, ret %s\n",
>> start, end - 1, cattr_name(new->type), cattr_name(req_type),
>> new_type ? cattr_name(*new_type) : "-");
>
> While you're at it, please fix a similar issue in lookup_memtype() and also
Let me explain why we can't unlock memtype_lock right after rbt_memtype_lookup in lookup_memtype().
CPUA CPUB
spin_lock(&memtype_lock);
entry = rbt_memtype_lookup(paddr);
spin_unlock(&memtype_lock);
----------------------------------------------------------------------------------------
spin_lock(&memtype_lock);
entry = rbt_memtype_erase(start, end);
spin_unlock(&memtype_lock);
if (!entry) {
printk(KERN_INFO "%s:%d freeing invalid memtype [mem %#010Lx-%#010Lx]\n",
current->comm, current->pid, start, end - 1);
return -EINVAL;
}
kfree(entry);
----------------------------------------------------------------------------------------
if (entry != NULL)
rettype = entry->type;
else
rettype = _PAGE_CACHE_UC_MINUS;
yes, we may access an freed memory at that time. Because entry is stored in rb-tree. Need lock when we access it.
> improve the comments over memtype_lock to explain what exactly it protects.
>
lock is needed when we access the data stored in rb-tree. :)
I find another bug, although it's very hard to hit.
just in reserve_memtype()
----------------------------------
err = rbt_memtype_check_insert(new, new_type);
if (err) {
printk(KERN_INFO "reserve_memtype failed [mem %#010Lx-%#010Lx], track %s, req %s\n",
start, end - 1,
cattr_name(new->type), cattr_name(req_type));
kfree(new);
spin_unlock(&memtype_lock);
return err;
}
spin_unlock(&memtype_lock); //this unlock may cause problems because the next dprintk access *new*
dprintk("reserve_memtype added [mem %#010Lx-%#010Lx], track %s, req %s, ret %s\n",
start, end - 1, cattr_name(new->type), cattr_name(req_type),
new_type ? cattr_name(*new_type) : "-");
----------------------------------
if no err returned, we unlock memtype_lock, *new *is stored is rb-tree. But *new* could be freed at any possible time. race is similar with scenario above.
In the second dprintk, we access *new*, *cattr_name(new->type)*.
I will send patch V2 to fix this issue. I should take a more deep look at this dprintk when I send this patch.
thanks
xinhui
> Thanks.
>
next prev parent reply other threads:[~2015-07-21 7:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-21 6:29 [PATCH] x86/mm/pat: Do a small optimization in reserve_memtype Pan Xinhui
2015-07-21 6:55 ` Borislav Petkov
2015-07-21 7:32 ` Pan Xinhui [this message]
2015-07-21 15:31 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55ADF5A2.1020005@intel.com \
--to=xinhuix.pan@intel.com \
--cc=bp@suse.de \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@suse.com \
--cc=mingo@redhat.com \
--cc=mnipxh@163.com \
--cc=tglx@linutronix.de \
--cc=toshi.kani@hp.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.