From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Xishi Qiu <qiuxishi@huawei.com>,
Jiang Liu <jiang.liu@huawei.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Mel Gorman <mgorman@suse.de>,
David Rientjes <rientjes@google.com>,
Minchan Kim <minchan@kernel.org>
Subject: [ 62/68] memory hotplug: fix invalid memory access caused by stale kswapd pointer
Date: Thu, 12 Jul 2012 16:02:36 -0700 [thread overview]
Message-ID: <20120712175040.900359634@linuxfoundation.org> (raw)
In-Reply-To: <20120712175035.530652872@linuxfoundation.org>
From: Greg KH <gregkh@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiang Liu <jiang.liu@huawei.com>
commit d8adde17e5f858427504725218c56aef90e90fc7 upstream.
kswapd_stop() is called to destroy the kswapd work thread when all memory
of a NUMA node has been offlined. But kswapd_stop() only terminates the
work thread without resetting NODE_DATA(nid)->kswapd to NULL. The stale
pointer will prevent kswapd_run() from creating a new work thread when
adding memory to the memory-less NUMA node again. Eventually the stale
pointer may cause invalid memory access.
An example stack dump as below. It's reproduced with 2.6.32, but latest
kernel has the same issue.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff81051a94>] exit_creds+0x12/0x78
PGD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/system/memory/memory391/state
CPU 11
Modules linked in: cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq microcode fuse loop dm_mod tpm_tis rtc_cmos i2c_i801 rtc_core tpm serio_raw pcspkr sg tpm_bios igb i2c_core iTCO_wdt rtc_lib mptctl iTCO_vendor_support button dca bnx2 usbhid hid uhci_hcd ehci_hcd usbcore sd_mod crc_t10dif edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod
Pid: 7949, comm: sh Not tainted 2.6.32.12-qiuxishi-5-default #92 Tecal RH2285
RIP: 0010:exit_creds+0x12/0x78
RSP: 0018:ffff8806044f1d78 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff880604f22140 RCX: 0000000000019502
RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000
RBP: ffff880604f22150 R08: 0000000000000000 R09: ffffffff81a4dc10
R10: 00000000000032a0 R11: ffff880006202500 R12: 0000000000000000
R13: 0000000000c40000 R14: 0000000000008000 R15: 0000000000000001
FS: 00007fbc03d066f0(0000) GS:ffff8800282e0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 000000060f029000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process sh (pid: 7949, threadinfo ffff8806044f0000, task ffff880603d7c600)
Stack:
ffff880604f22140 ffffffff8103aac5 ffff880604f22140 ffffffff8104d21e
ffff880006202500 0000000000008000 0000000000c38000 ffffffff810bd5b1
0000000000000000 ffff880603d7c600 00000000ffffdd29 0000000000000003
Call Trace:
__put_task_struct+0x5d/0x97
kthread_stop+0x50/0x58
offline_pages+0x324/0x3da
memory_block_change_state+0x179/0x1db
store_mem_state+0x9e/0xbb
sysfs_write_file+0xd0/0x107
vfs_write+0xad/0x169
sys_write+0x45/0x6e
system_call_fastpath+0x16/0x1b
Code: ff 4d 00 0f 94 c0 84 c0 74 08 48 89 ef e8 1f fd ff ff 5b 5d 31 c0 41 5c c3 53 48 8b 87 20 06 00 00 48 89 fb 48 8b bf 18 06 00 00 <8b> 00 48 c7 83 18 06 00 00 00 00 00 00 f0 ff 0f 0f 94 c0 84 c0
RIP exit_creds+0x12/0x78
RSP <ffff8806044f1d78>
CR2: 0000000000000000
[akpm@linux-foundation.org: add pglist_data.kswapd locking comments]
Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Acked-by: David Rientjes <rientjes@google.com>
Reviewed-by: Minchan Kim <minchan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mmzone.h | 2 +-
mm/vmscan.c | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -633,7 +633,7 @@ typedef struct pglist_data {
range, including holes */
int node_id;
wait_queue_head_t kswapd_wait;
- struct task_struct *kswapd;
+ struct task_struct *kswapd; /* Protected by lock_memory_hotplug() */
int kswapd_max_order;
enum zone_type classzone_idx;
} pg_data_t;
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -2952,14 +2952,17 @@ int kswapd_run(int nid)
}
/*
- * Called by memory hotplug when all memory in a node is offlined.
+ * Called by memory hotplug when all memory in a node is offlined. Caller must
+ * hold lock_memory_hotplug().
*/
void kswapd_stop(int nid)
{
struct task_struct *kswapd = NODE_DATA(nid)->kswapd;
- if (kswapd)
+ if (kswapd) {
kthread_stop(kswapd);
+ NODE_DATA(nid)->kswapd = NULL;
+ }
}
static int __init kswapd_init(void)
next prev parent reply other threads:[~2012-07-12 23:05 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-12 17:50 [ 00/68] 3.0.37-stable review Greg KH
2012-07-12 23:01 ` [ 01/68] ALSA: hda - Add Realtek ALC280 codec support Greg Kroah-Hartman
2012-07-12 23:01 ` [ 02/68] powerpc/xmon: Use cpumask iterator to avoid warning Greg Kroah-Hartman
2012-07-12 23:01 ` [ 03/68] media: smsusb: add autodetection support for USB ID 2040:f5a0 Greg Kroah-Hartman
2012-07-12 23:01 ` [ 04/68] ARM: fix rcu stalls on SMP platforms Greg Kroah-Hartman
2012-07-12 23:01 ` [ 05/68] net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() Greg Kroah-Hartman
2012-07-12 23:01 ` [ 06/68] cipso: handle CIPSO options correctly when NetLabel is disabled Greg Kroah-Hartman
2012-07-12 23:01 ` [ 07/68] net: l2tp_eth: fix kernel panic on rmmod l2tp_eth Greg Kroah-Hartman
2012-07-12 23:01 ` [ 08/68] dummy: fix rcu_sched self-detected stalls Greg Kroah-Hartman
2012-07-13 14:09 ` Herton Ronaldo Krzesinski
2012-07-16 15:46 ` Greg Kroah-Hartman
2012-07-12 23:01 ` [ 09/68] ethtool: allow ETHTOOL_GSSET_INFO for users Greg Kroah-Hartman
2012-07-12 23:01 ` [ 10/68] bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2) Greg Kroah-Hartman
2012-07-12 23:01 ` [ 11/68] bonding: Fix corrupted queue_mapping Greg Kroah-Hartman
2012-07-12 23:01 ` [ 12/68] ipv6: Move ipv6 proc file registration to end of init order Greg Kroah-Hartman
2012-07-12 23:01 ` [ 13/68] sky2: fix checksum bit management on some chips Greg Kroah-Hartman
2012-07-12 23:01 ` [ 14/68] be2net: fix a race in be_xmit() Greg Kroah-Hartman
2012-07-12 23:01 ` [ 15/68] netpoll: fix netpoll_send_udp() bugs Greg Kroah-Hartman
2012-07-12 23:01 ` [ 16/68] hwmon: (applesmc) Limit key length in warning messages Greg Kroah-Hartman
2012-07-12 23:01 ` [ 17/68] nilfs2: ensure proper cache clearing for gc-inodes Greg Kroah-Hartman
2012-07-12 23:01 ` [ 18/68] udf: Use ret instead of abusing i in udf_load_logicalvol() Greg Kroah-Hartman
2012-07-12 23:01 ` [ 19/68] udf: Avoid run away loop when partition table length is corrupted Greg Kroah-Hartman
2012-07-12 23:01 ` [ 20/68] udf: Fortify loading of sparing table Greg Kroah-Hartman
2012-07-12 23:01 ` [ 21/68] ath9k: Fix softlockup in AR9485 Greg Kroah-Hartman
2012-07-12 23:01 ` [ 22/68] ath9k_hw: avoid possible infinite loop in ar9003_get_pll_sqsum_dvc Greg Kroah-Hartman
2012-07-13 1:38 ` Herton Ronaldo Krzesinski
2012-07-13 1:49 ` Greg Kroah-Hartman
2012-07-12 23:01 ` [ 23/68] ath9k: enable serialize_regmode for non-PCIE AR9287 Greg Kroah-Hartman
2012-07-12 23:01 ` [ 24/68] ASoC: tlv320aic3x: Fix codec pll configure bug Greg Kroah-Hartman
2012-07-12 23:01 ` [ 25/68] Btrfs: run delayed directory updates during log replay Greg Kroah-Hartman
2012-07-12 23:02 ` [ 26/68] drm/edid: dont return stack garbage from supports_rb Greg Kroah-Hartman
2012-07-12 23:02 ` [ 27/68] drm/nouveau/fbcon: using nv_two_heads is not a good idea Greg Kroah-Hartman
2012-07-12 23:02 ` [ 28/68] drm/i915: Fix eDP blank screen after S3 resume on HP desktops Greg Kroah-Hartman
2012-07-12 23:02 ` [ 29/68] acpi_pad: fix power_saving thread deadlock Greg Kroah-Hartman
2012-07-12 23:02 ` [ 30/68] ACPI: Add a quirk for "AMILO PRO V2030" to ignore the timer overriding Greg Kroah-Hartman
2012-07-12 23:02 ` [ 31/68] ACPI, x86: fix Dell M6600 ACPI reboot regression via DMI Greg Kroah-Hartman
2012-07-12 23:02 ` [ 32/68] ACPI sysfs.c strlen fix Greg Kroah-Hartman
2012-07-12 23:02 ` [ 33/68] stable: Allow merging of backports for serious user-visible performance issues Greg Kroah-Hartman
2012-07-12 23:02 ` [ 34/68] USB: option: add id for Cellient MEN-200 Greg Kroah-Hartman
2012-07-12 23:02 ` [ 35/68] USB: option: Add USB ID for Novatel Ovation MC551 Greg Kroah-Hartman
2012-07-12 23:02 ` [ 36/68] USB: CP210x Add 10 Device IDs Greg Kroah-Hartman
2012-07-12 23:02 ` [ 37/68] cfg80211: fix potential deadlock in regulatory Greg Kroah-Hartman
2012-07-12 23:02 ` [ 38/68] can: c_can: precedence error in c_can_chip_config() Greg Kroah-Hartman
2012-07-12 23:02 ` [ 39/68] oprofile: perf: use NR_CPUS instead or nr_cpumask_bits for static array Greg Kroah-Hartman
2012-07-12 23:02 ` [ 40/68] mac80211: correct behaviour on unrecognised action frames Greg Kroah-Hartman
2012-07-12 23:02 ` [ 41/68] mwifiex: fix 11n rx packet drop issue Greg Kroah-Hartman
2012-07-12 23:02 ` [ 42/68] vfs: make O_PATH file descriptors usable for fchdir() Greg Kroah-Hartman
2012-07-12 22:40 ` ольга крыжановская
2012-07-12 23:02 ` [ 43/68] mtd: cafe_nand: fix an & vs | mistake Greg Kroah-Hartman
2012-07-12 23:02 ` [ 44/68] tcm_fc: Resolve suspicious RCU usage warnings Greg Kroah-Hartman
2012-07-12 23:02 ` [ 45/68] eCryptfs: Gracefully refuse miscdev file ops on inherited/passed files Greg Kroah-Hartman
2012-07-12 23:02 ` [ 46/68] eCryptfs: Fix lockdep warning in miscdev operations Greg Kroah-Hartman
2012-07-12 23:02 ` [ 47/68] eCryptfs: Properly check for O_RDONLY flag before doing privileged open Greg Kroah-Hartman
2012-07-12 23:02 ` [ 48/68] USB: cdc-wdm: fix lockup on error in wdm_read Greg Kroah-Hartman
2012-07-12 23:02 ` [ 49/68] USB: option: add ZTE MF60 Greg Kroah-Hartman
2012-07-12 23:02 ` [ 50/68] USB: option: Add MEDIATEK product ids Greg Kroah-Hartman
2012-07-12 23:02 ` [ 51/68] PCI: EHCI: fix crash during suspend on ASUS computers Greg Kroah-Hartman
2012-07-13 1:42 ` Herton Ronaldo Krzesinski
2012-07-12 23:02 ` [ 52/68] xhci: Avoid dead ports when CONFIG_USB_XHCI_HCD=n Greg Kroah-Hartman
2012-07-12 23:02 ` [ 53/68] ipheth: add support for iPad Greg Kroah-Hartman
2012-07-12 23:02 ` [ 54/68] tracing: change CPU ring buffer state from tracing_cpumask Greg Kroah-Hartman
2012-07-13 1:47 ` Herton Ronaldo Krzesinski
2012-07-12 23:02 ` [ 55/68] vhost: dont forget to schedule() Greg Kroah-Hartman
2012-07-12 23:02 ` [ 56/68] raid5: delayed stripe fix Greg Kroah-Hartman
2012-07-12 23:02 ` [ 57/68] rtl8187: ->brightness_set can not sleep Greg Kroah-Hartman
2012-07-12 23:02 ` [ 58/68] umem: fix up unplugging Greg Kroah-Hartman
2012-07-12 23:02 ` [ 59/68] x86, cpufeature: Rename X86_FEATURE_DTS to X86_FEATURE_DTHERM Greg Kroah-Hartman
2012-07-12 23:02 ` [ 60/68] md/raid5: Do not add data_offset before call to is_badblock Greg Kroah-Hartman
2012-07-12 23:02 ` [ 61/68] md/raid10: Dont try to recovery unmatched (and unused) chunks Greg Kroah-Hartman
2012-07-12 23:02 ` Greg Kroah-Hartman [this message]
2012-07-12 23:02 ` [ 63/68] drivers/rtc/rtc-mxc.c: fix irq enabled interrupts warning Greg Kroah-Hartman
2012-07-12 23:02 ` [ 64/68] mm, thp: abort compaction if migration page cannot be charged to memcg Greg Kroah-Hartman
2012-07-12 23:02 ` [ 65/68] fs: ramfs: file-nommu: add SetPageUptodate() Greg Kroah-Hartman
2012-07-12 23:02 ` [ 66/68] mm: Hold a file reference in madvise_remove Greg Kroah-Hartman
2012-07-13 1:49 ` Herton Ronaldo Krzesinski
2012-07-12 23:02 ` [ 67/68] ACPI: Make acpi_skip_timer_override cover all source_irq==0 cases Greg Kroah-Hartman
2012-07-12 23:02 ` [ 68/68] ACPI: Remove one board specific WARN when ignoring timer overriding Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120712175040.900359634@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jiang.liu@huawei.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=minchan@kernel.org \
--cc=qiuxishi@huawei.com \
--cc=rientjes@google.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox