From: Brian King <brking@us.ibm.com>
To: Hugh Dickins <hugh@veritas.com>
Cc: James Bottomley <James.Bottomley@SteelEye.com>,
Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org
Subject: Re: [PATCH] ipr: don't doublefree pages from scatterlist
Date: Sun, 05 Feb 2006 15:35:50 -0600 [thread overview]
Message-ID: <43E66FB6.6070303@us.ibm.com> (raw)
In-Reply-To: <Pine.LNX.4.61.0602040004020.5406@goblin.wat.veritas.com>
Hugh Dickins wrote:
> On Fri, 3 Feb 2006, Brian King wrote:
>>Hugh Dickins wrote:
>>>On some architectures, mapping the scatterlist may coalesce entries:
>>>if that coalesced list is then used for freeing the pages afterwards,
>>>there's a danger that pages may be doubly freed (and others leaked).
>>I don't understand why this is necessary... Comparing the bug you fixed
>>in st with ipr's usage of scatterlists, there is a bit of a difference.
>>st is dealing with user pages and calling page_cache_release to release
>>the pages, and I can begin to understand why there might be a problem
>>in that code.
>
> Yes, certainly the st and ipr cases seem different, and originally
> I was thinking it was only an issue in connection with get_user_pages.
>
>>page_cache_release looks at the pages themselves to figure
>>out how many compound pages there are. This could certainly result in
>>double free's occurring.
>
> I don't follow you there, but better if I try to explain how I see it.
>
>>Looking at ipr, however, it is simply doing alloc_pages
>>and __free_pages. __free_pages passes in the page allocation order, so
>>I don't think I would have the double free problem.
>>
>>As I understand it, pci_map_sg only modifies the dma_address and dma_length
>>fields when things get coalesced. If it were to coalese pages by
>>turning them into compound pages then I would agree that ipr might have
>>a problem, but I don't think this to be the case...
>
> It's not fully defined what it does (intentionally: internal detail).
I did a quick check of all the different architectures and was unable
to find any architecture that does what you describe below. All coalescing
appears to be done by only modifying the dma_length and dma_address fields in
the scatterlist.
> But as I understand it, what it's likely to do is coalesce entries as
> far as it can (causes no problem in itself) then shift down and attempt
> to coalesce the entries above. It's the shifting down that gives the
> problem.
>
> Imagine we start with sglist
>
> struct page *a, length A
> struct page *b, length B
> struct page *c, length C
>
> and pci_map_sg finds a+A brings it to b (I'm writing loosely, mixing
> the page pointers and their corresponding virtual addresses), but b+B
> does not match c. Then it'll coalesce the first two entries, and
> shift down the third to second place, turning sglist into
>
> struct page *a, length A+B
> struct page *c, length C
> struct page *c, length C
Disagree. This is how I would expect the sglist to look after pci_map_sg:
struct page *a, length A, dma_addr a, dma_length A+B
struct page *b, length B, dma_addr c, dma_length C
struct page *c, length C, dma_addr n/a, dma_length n/a
>
> So (again writing loosely, mixing up lengths and orders) on return the
> caller will __free_pages(a, A+B) (itself probably wrong since a and b
> were likely not buddies to start out with), __free_pages(c, C),
> __free_pages(c, C) - doubly freeing c, ensuing mayhem.
>
> Maybe it doesn't change length A to A+B, just doing that in dma_length;
> but caller is still going to free c twice.
>
> Agree?
No. I can't find any code in any architecture that modifies either the length,
page, or offset fields in the *_map_sg routines.
I'm still failing to see an actual bug in the ipr driver. Unless there is a
good reason for pushing additional complexity on every caller of pci_map_sg
to do additional bookkeeping, such as an architecture that is actually modifying
fields in the scatterlist other than the dma_* fields, then I think it makes
more sense to clarify the API to say that pci_map_sg will not modify these fields.
Brian
--
Brian King
eServer Storage I/O
IBM Linux Technology Center
next prev parent reply other threads:[~2006-02-05 21:35 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-29 17:24 Fw: crash on x86_64 - mm related? Andrew Morton
2005-11-29 18:34 ` Ryan Richter
2005-11-29 20:04 ` Kai Makisara
2005-11-29 20:31 ` Ryan Richter
2005-11-29 20:48 ` Kai Makisara
2005-11-29 20:58 ` Ryan Richter
2005-11-29 21:36 ` Kai Makisara
2005-11-30 5:12 ` Kai Makisara
2005-12-01 19:18 ` Kai Makisara
2005-12-01 19:38 ` Linus Torvalds
2005-12-01 19:56 ` Ryan Richter
2005-12-01 20:21 ` Hugh Dickins
2005-12-01 21:44 ` Kai Makisara
2005-12-02 18:03 ` Ryan Richter
2005-12-02 18:43 ` Jesper Juhl
2005-12-02 19:12 ` Hugh Dickins
2005-12-02 19:44 ` Ryan Richter
2005-12-02 20:40 ` Hugh Dickins
2005-12-03 17:29 ` Ryan Richter
2005-12-06 16:08 ` Ryan Richter
2005-12-06 20:31 ` Hugh Dickins
2005-12-06 20:43 ` Ryan Richter
2005-12-07 18:37 ` Hugh Dickins
2005-12-08 2:26 ` Ryan Richter
2005-12-12 16:54 ` Ryan Richter
2005-12-12 17:40 ` Linus Torvalds
2005-12-12 17:45 ` James Bottomley
2005-12-12 18:04 ` Ryan Richter
2005-12-12 18:09 ` Linus Torvalds
2005-12-12 18:24 ` James Bottomley
2005-12-15 19:09 ` Ryan Richter
2005-12-16 4:01 ` James Bottomley
2005-12-17 3:31 ` Ryan Richter
2005-12-26 23:42 ` Ryan Richter
2005-12-27 16:21 ` Kai Makisara
2006-01-03 19:03 ` Ryan Richter
2006-01-04 17:27 ` Ryan Richter
2006-01-04 21:48 ` Kai Makisara
2006-01-05 5:40 ` Ryan Richter
2006-01-05 20:12 ` Ryan Richter
2006-01-05 21:18 ` Linus Torvalds
2006-01-08 22:36 ` Ryan Richter
2006-01-09 3:31 ` Ryan Richter
2006-01-09 4:07 ` Linus Torvalds
2006-01-09 5:13 ` Andrew Morton
2006-01-09 5:45 ` Ryan Richter
2006-01-09 5:57 ` Andrew Morton
2006-01-09 9:44 ` Hugh Dickins
2006-01-09 18:53 ` Ryan Richter
2006-01-09 19:31 ` Hugh Dickins
2006-01-09 20:05 ` Ryan Richter
2006-01-18 0:12 ` Ryan Richter
2006-01-18 16:00 ` Hugh Dickins
2006-02-03 19:46 ` Hugh Dickins
2006-02-03 19:53 ` [PATCH] st: don't doublefree pages from scatterlist Hugh Dickins
2006-02-03 20:38 ` Mike Christie
2006-02-03 21:16 ` Hugh Dickins
2006-02-04 12:10 ` Kai Makisara
2006-02-04 15:01 ` Hugh Dickins
2006-02-03 19:55 ` [PATCH] ipr: " Hugh Dickins
2006-02-03 22:06 ` Brian King
2006-02-04 0:26 ` Hugh Dickins
2006-02-05 21:35 ` Brian King [this message]
2006-02-06 9:32 ` Hugh Dickins
2006-02-06 9:46 ` David S. Miller
2006-02-06 14:46 ` Brian King
2006-02-06 16:45 ` Hugh Dickins
2006-02-06 17:38 ` James Bottomley
2006-02-06 19:15 ` Brian King
2006-02-06 21:11 ` Andi Kleen
2006-02-06 21:49 ` David S. Miller
2006-02-06 22:11 ` Hugh Dickins
2006-02-06 22:13 ` Andi Kleen
2006-02-07 3:09 ` Ryan Richter
2006-02-11 22:38 ` Ryan Richter
2006-02-12 18:57 ` Hugh Dickins
2006-02-12 21:29 ` Andi Kleen
2006-02-13 17:21 ` Hugh Dickins
2006-02-06 15:02 ` James Bottomley
2006-02-06 17:01 ` Hugh Dickins
2006-02-03 19:56 ` [PATCH] osst: " Hugh Dickins
2006-02-03 21:10 ` Fw: crash on x86_64 - mm related? Ryan Richter
2006-02-04 11:58 ` Kai Makisara
2006-02-04 14:46 ` Hugh Dickins
2006-01-05 22:09 ` Kai Makisara
2006-01-04 18:26 ` Ryan Richter
2005-12-07 18:30 ` Ryan Richter
2005-12-07 18:56 ` Hugh Dickins
2005-12-07 19:06 ` Ryan Richter
2005-12-06 17:57 ` Ryan Richter
2005-12-01 20:28 ` James Bottomley
2005-12-01 21:17 ` Kai Makisara
2005-12-02 13:45 ` Hugh Dickins
2005-12-02 17:59 ` Kai Makisara
2005-12-02 18:55 ` Hugh Dickins
2005-12-02 19:46 ` Kai Makisara
2005-12-02 20:47 ` Hugh Dickins
2005-12-04 9:29 ` Kai Makisara
2005-12-01 19:53 ` Ryan Richter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43E66FB6.6070303@us.ibm.com \
--to=brking@us.ibm.com \
--cc=James.Bottomley@SteelEye.com \
--cc=akpm@osdl.org \
--cc=hugh@veritas.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).