From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Marcin Slusarz <marcin.slusarz@gmail.com>,
Pekka Paalanen <pq@iki.fi>,
Stuart Bennett <stuart@freedesktop.org>,
Marcin Kocielnicki <koriakin@0x04.net>,
nouveau@lists.freedesktop.org, Ingo Molnar <mingo@elte.hu>
Subject: [04/54] x86, kmmio/mmiotrace: Fix double free of kmmio_fault_pages
Date: Wed, 11 Aug 2010 17:00:19 -0700 [thread overview]
Message-ID: <20100812000123.684503111@clark.site> (raw)
In-Reply-To: <20100812000249.GA30948@kroah.com>
2.6.34-stable review patch. If anyone has any objections, please let us know.
------------------
From: Marcin Slusarz <marcin.slusarz@gmail.com>
commit 8b8f79b927b6b302bb65fb8c56e7a19be5fbdbef upstream.
After every iounmap mmiotrace has to free kmmio_fault_pages, but
it can't do it directly, so it defers freeing by RCU.
It usually works, but when mmiotraced code calls ioremap-iounmap
multiple times without sleeping between (so RCU won't kick in
and start freeing) it can be given the same virtual address, so
at every iounmap mmiotrace will schedule the same pages for
release. Obviously it will explode on second free.
Fix it by marking kmmio_fault_pages which are scheduled for
release and not adding them second time.
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Tested-by: Marcin Kocielnicki <koriakin@0x04.net>
Tested-by: Shinpei KATO <shinpei@il.is.s.u-tokyo.ac.jp>
Acked-by: Pekka Paalanen <pq@iki.fi>
Cc: Stuart Bennett <stuart@freedesktop.org>
Cc: Marcin Kocielnicki <koriakin@0x04.net>
Cc: nouveau@lists.freedesktop.org
LKML-Reference: <20100613215654.GA3829@joi.lan>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/mm/kmmio.c | 16 +++++++++++++---
arch/x86/mm/testmmiotrace.c | 22 ++++++++++++++++++++++
2 files changed, 35 insertions(+), 3 deletions(-)
--- a/arch/x86/mm/kmmio.c
+++ b/arch/x86/mm/kmmio.c
@@ -45,6 +45,8 @@ struct kmmio_fault_page {
* Protected by kmmio_lock, when linked into kmmio_page_table.
*/
int count;
+
+ bool scheduled_for_release;
};
struct kmmio_delayed_release {
@@ -398,8 +400,11 @@ static void release_kmmio_fault_page(uns
BUG_ON(f->count < 0);
if (!f->count) {
disarm_kmmio_fault_page(f);
- f->release_next = *release_list;
- *release_list = f;
+ if (!f->scheduled_for_release) {
+ f->release_next = *release_list;
+ *release_list = f;
+ f->scheduled_for_release = true;
+ }
}
}
@@ -471,8 +476,10 @@ static void remove_kmmio_fault_pages(str
prevp = &f->release_next;
} else {
*prevp = f->release_next;
+ f->release_next = NULL;
+ f->scheduled_for_release = false;
}
- f = f->release_next;
+ f = *prevp;
}
spin_unlock_irqrestore(&kmmio_lock, flags);
@@ -510,6 +517,9 @@ void unregister_kmmio_probe(struct kmmio
kmmio_count--;
spin_unlock_irqrestore(&kmmio_lock, flags);
+ if (!release_list)
+ return;
+
drelease = kmalloc(sizeof(*drelease), GFP_ATOMIC);
if (!drelease) {
pr_crit("leaking kmmio_fault_page objects.\n");
--- a/arch/x86/mm/testmmiotrace.c
+++ b/arch/x86/mm/testmmiotrace.c
@@ -90,6 +90,27 @@ static void do_test(unsigned long size)
iounmap(p);
}
+/*
+ * Tests how mmiotrace behaves in face of multiple ioremap / iounmaps in
+ * a short time. We had a bug in deferred freeing procedure which tried
+ * to free this region multiple times (ioremap can reuse the same address
+ * for many mappings).
+ */
+static void do_test_bulk_ioremapping(void)
+{
+ void __iomem *p;
+ int i;
+
+ for (i = 0; i < 10; ++i) {
+ p = ioremap_nocache(mmio_address, PAGE_SIZE);
+ if (p)
+ iounmap(p);
+ }
+
+ /* Force freeing. If it will crash we will know why. */
+ synchronize_rcu();
+}
+
static int __init init(void)
{
unsigned long size = (read_far) ? (8 << 20) : (16 << 10);
@@ -104,6 +125,7 @@ static int __init init(void)
"and writing 16 kB of rubbish in there.\n",
size >> 10, mmio_address);
do_test(size);
+ do_test_bulk_ioremapping();
pr_info("All done.\n");
return 0;
}
next prev parent reply other threads:[~2010-08-12 0:04 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-12 0:02 [00/54] 2.6.34.4 -stable review Greg KH
2010-08-12 0:00 ` [01/54] x86, vmware: Preset lpj values when on VMware Greg KH
2010-08-14 12:22 ` Sven Joachim
2010-08-14 16:21 ` Alok Kataria
2010-08-12 0:00 ` [02/54] ata_piix: fix locking around SIDPR access Greg KH
2010-08-12 0:00 ` [03/54] powerpc: fix build with make 3.82 Greg KH
2010-08-12 0:00 ` Greg KH [this message]
2010-08-12 0:00 ` [05/54] x86/PCI: use host bridge _CRS info on ASRock ALiveSATA2-GLAN Greg KH
2010-08-12 0:00 ` [06/54] x86: Add memory modify constraints to xchg() and cmpxchg() Greg KH
2010-08-12 0:00 ` [07/54] staging: rt2870: Add USB ID for Belkin F6D4050 v2 Greg KH
2010-08-12 0:00 ` [08/54] Staging: line6: needs to select SND_PCM Greg KH
2010-08-12 0:00 ` [09/54] Staging: panel: Prevent double-calling of parport_release - fix oops Greg KH
2010-08-12 0:00 ` [10/54] PCI: Do not run NVidia quirks related to MSI with MSI disabled Greg KH
2010-08-12 0:00 ` [11/54] PCI: disable MSI on VIA K8M800 Greg KH
2010-08-12 0:00 ` [12/54] solos-pci: Fix race condition in tasklet RX handling Greg KH
2010-08-12 0:00 ` [13/54] splice: fix misuse of SPLICE_F_NONBLOCK Greg KH
2010-08-12 0:00 ` [14/54] Char: nozomi, fix tty->count counting Greg KH
2010-08-12 0:00 ` [15/54] Char: nozomi, set tty->driver_data appropriately Greg KH
2010-08-12 0:00 ` [16/54] mm: fix corruption of hibernation caused by reusing swap during image saving Greg KH
2010-08-12 0:00 ` [17/54] drivers/video/w100fb.c: ignore void return value / fix build failure Greg KH
2010-08-12 0:00 ` [18/54] iwlwifi: fix TX tracer Greg KH
2010-08-12 0:00 ` [19/54] ide-cd: Do not access completed requests in the irq handler Greg KH
2010-08-12 0:00 ` [20/54] md/raid10: fix deadlock with unaligned read during resync Greg KH
2010-08-12 0:00 ` [21/54] blkdev: cgroup whitelist permission fix Greg KH
2010-08-12 0:00 ` [22/54] eCryptfs: Handle ioctl calls with unlocked and compat functions Greg KH
2010-08-12 0:00 ` [23/54] ecryptfs: release reference to lower mount if interpose fails Greg KH
2010-08-12 0:00 ` [24/54] fs/ecryptfs/file.c: introduce missing free Greg KH
2010-08-12 0:00 ` [25/54] [ARM] pxa/cm-x300: fix ffuart registration Greg KH
2010-08-12 0:00 ` [26/54] signalfd: fill in ssi_int for posix timers and message queues Greg KH
2010-08-12 0:00 ` [27/54] bio, fs: update RWA_MASK, READA and SWRITE to match the corresponding BIO_RW_* bits Greg KH
2010-08-12 0:00 ` [28/54] smsc911x: Add spinlocks around registers access Greg KH
2010-08-12 0:00 ` [29/54] ARM: 6299/1: errata: TLBIASIDIS and TLBIMVAIS operations can broadcast a faulty ASID Greg KH
2010-08-12 0:00 ` [30/54] ARM: 6280/1: imx: Fix build failure when including <mach/gpio.h> without <linux/spinlock.h> Greg KH
2010-08-12 0:00 ` [31/54] USB: EHCI: remove PCI assumption Greg KH
2010-08-12 0:00 ` [32/54] USB: resizing usbmon binary interface buffer causes protection faults Greg KH
2010-08-12 0:00 ` [33/54] USB delay init quirk for logitech Harmony 700-series devices Greg KH
2010-08-12 0:00 ` [34/54] USB: serial: enabling support for Segway RMP in ftdi_sio Greg KH
2010-08-12 0:00 ` [35/54] USB: option: Huawei ETS 1220 support added Greg KH
2010-08-12 0:00 ` [36/54] USB: option: add huawei k3765 k4505 devices to work properly Greg KH
2010-08-12 0:00 ` [37/54] USB: ftdi_sio: device id for Navitator Greg KH
2010-08-12 0:00 ` [38/54] USB: cp210x: Add four new device IDs Greg KH
2010-08-12 0:00 ` [39/54] USB: usbtest: avoid to free coherent buffer in atomic context Greg KH
2010-08-12 0:00 ` [40/54] USB: fix thread-unsafe anchor utiliy routines Greg KH
2010-08-12 0:00 ` [41/54] drm/edid: Fix the HDTV hack sync adjustment Greg KH
2010-08-12 0:00 ` [42/54] Bluetooth: Added support for controller shipped with iMac i5 Greg KH
2010-08-12 0:00 ` [43/54] mtd: gen_nand: fix support for multiple chips Greg KH
2010-08-12 0:00 ` [44/54] jfs: dont allow os2 xattr namespace overlap with others Greg KH
2010-08-12 0:01 ` [45/54] arp_notify: allow drivers to explicitly request a notification event Greg KH
2010-08-12 0:01 ` [46/54] xen: netfront: explicitly generate arp_notify event after migration Greg KH
2010-08-12 0:01 ` [47/54] net: Fix NETDEV_NOTIFY_PEERS to not conflict with NETDEV_BONDING_DESLAVE Greg KH
2010-08-12 0:01 ` [48/54] irq: Add new IRQ flag IRQF_NO_SUSPEND Greg KH
2010-08-12 0:01 ` [49/54] xen: Do not suspend IPI IRQs Greg KH
2010-08-12 0:01 ` [50/54] drm/i915: Use RSEN instead of HTPLG for tfp410 monitor detection Greg KH
2010-08-12 0:01 ` [51/54] i915: fix ironlake edp panel setup (v4) Greg KH
2010-08-12 0:01 ` [52/54] [SCSI] ibmvfc: Fix command completion handling Greg KH
2010-08-12 0:01 ` [53/54] [SCSI] ibmvfc: Reduce error recovery timeout Greg KH
2010-08-12 0:01 ` [54/54] md/raid1: delay reads that could overtake behind-writes Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100812000123.684503111@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=koriakin@0x04.net \
--cc=linux-kernel@vger.kernel.org \
--cc=marcin.slusarz@gmail.com \
--cc=mingo@elte.hu \
--cc=nouveau@lists.freedesktop.org \
--cc=pq@iki.fi \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=stuart@freedesktop.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).