From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Mel Gorman <mgorman@suse.de>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Christoph Lameter <cl@linux.com>, Josh Boyer <jwboyer@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [ 76/84] mempolicy: fix a race in shared_policy_replace()
Date: Thu, 11 Oct 2012 11:04:00 +0900 [thread overview]
Message-ID: <20121011015430.744047863@linuxfoundation.org> (raw)
In-Reply-To: <20121011015417.017144658@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mel Gorman <mgorman@suse.de>
commit b22d127a39ddd10d93deee3d96e643657ad53a49 upstream.
shared_policy_replace() use of sp_alloc() is unsafe. 1) sp_node cannot
be dereferenced if sp->lock is not held and 2) another thread can modify
sp_node between spin_unlock for allocating a new sp node and next
spin_lock. The bug was introduced before 2.6.12-rc2.
Kosaki's original patch for this problem was to allocate an sp node and
policy within shared_policy_replace and initialise it when the lock is
reacquired. I was not keen on this approach because it partially
duplicates sp_alloc(). As the paths were sp->lock is taken are not that
performance critical this patch converts sp->lock to sp->mutex so it can
sleep when calling sp_alloc().
[kosaki.motohiro@jp.fujitsu.com: Original patch]
Signed-off-by: Mel Gorman <mgorman@suse.de>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Reviewed-by: Christoph Lameter <cl@linux.com>
Cc: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mempolicy.h | 2 +-
mm/mempolicy.c | 37 ++++++++++++++++---------------------
2 files changed, 17 insertions(+), 22 deletions(-)
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -188,7 +188,7 @@ struct sp_node {
struct shared_policy {
struct rb_root root;
- spinlock_t lock;
+ struct mutex mutex;
};
void mpol_shared_policy_init(struct shared_policy *sp, struct mempolicy *mpol);
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2021,7 +2021,7 @@ int __mpol_equal(struct mempolicy *a, st
*/
/* lookup first element intersecting start-end */
-/* Caller holds sp->lock */
+/* Caller holds sp->mutex */
static struct sp_node *
sp_lookup(struct shared_policy *sp, unsigned long start, unsigned long end)
{
@@ -2085,13 +2085,13 @@ mpol_shared_policy_lookup(struct shared_
if (!sp->root.rb_node)
return NULL;
- spin_lock(&sp->lock);
+ mutex_lock(&sp->mutex);
sn = sp_lookup(sp, idx, idx+1);
if (sn) {
mpol_get(sn->policy);
pol = sn->policy;
}
- spin_unlock(&sp->lock);
+ mutex_unlock(&sp->mutex);
return pol;
}
@@ -2131,10 +2131,10 @@ static struct sp_node *sp_alloc(unsigned
static int shared_policy_replace(struct shared_policy *sp, unsigned long start,
unsigned long end, struct sp_node *new)
{
- struct sp_node *n, *new2 = NULL;
+ struct sp_node *n;
+ int ret = 0;
-restart:
- spin_lock(&sp->lock);
+ mutex_lock(&sp->mutex);
n = sp_lookup(sp, start, end);
/* Take care of old policies in the same range. */
while (n && n->start < end) {
@@ -2147,16 +2147,14 @@ restart:
} else {
/* Old policy spanning whole new range. */
if (n->end > end) {
+ struct sp_node *new2;
+ new2 = sp_alloc(end, n->end, n->policy);
if (!new2) {
- spin_unlock(&sp->lock);
- new2 = sp_alloc(end, n->end, n->policy);
- if (!new2)
- return -ENOMEM;
- goto restart;
+ ret = -ENOMEM;
+ goto out;
}
n->end = start;
sp_insert(sp, new2);
- new2 = NULL;
break;
} else
n->end = start;
@@ -2167,12 +2165,9 @@ restart:
}
if (new)
sp_insert(sp, new);
- spin_unlock(&sp->lock);
- if (new2) {
- mpol_put(new2->policy);
- kmem_cache_free(sn_cache, new2);
- }
- return 0;
+out:
+ mutex_unlock(&sp->mutex);
+ return ret;
}
/**
@@ -2190,7 +2185,7 @@ void mpol_shared_policy_init(struct shar
int ret;
sp->root = RB_ROOT; /* empty tree == default mempolicy */
- spin_lock_init(&sp->lock);
+ mutex_init(&sp->mutex);
if (mpol) {
struct vm_area_struct pvma;
@@ -2256,7 +2251,7 @@ void mpol_free_shared_policy(struct shar
if (!p->root.rb_node)
return;
- spin_lock(&p->lock);
+ mutex_lock(&p->mutex);
next = rb_first(&p->root);
while (next) {
n = rb_entry(next, struct sp_node, nd);
@@ -2265,7 +2260,7 @@ void mpol_free_shared_policy(struct shar
mpol_put(n->policy);
kmem_cache_free(sn_cache, n);
}
- spin_unlock(&p->lock);
+ mutex_unlock(&p->mutex);
}
/* assumes fs == KERNEL_DS */
next prev parent reply other threads:[~2012-10-11 2:27 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-11 2:01 [ 00/84] 3.0.46-stable review Greg Kroah-Hartman
2012-10-11 2:02 ` [ 01/84] mn10300: only add -mmem-funcs to KBUILD_CFLAGS if gcc supports it Greg Kroah-Hartman
2012-10-11 2:02 ` [ 02/84] kbuild: make: fix if_changed when command contains backslashes Greg Kroah-Hartman
2012-10-11 2:02 ` [ 03/84] media: rc: ite-cir: Initialise ite_dev::rdev earlier Greg Kroah-Hartman
2012-10-11 2:02 ` [ 04/84] ACPI: run _OSC after ACPI_FULL_INITIALIZATION Greg Kroah-Hartman
2012-10-11 2:02 ` [ 05/84] PCI: acpiphp: check whether _ADR evaluation succeeded Greg Kroah-Hartman
2012-10-11 2:02 ` [ 06/84] lib/gcd.c: prevent possible div by 0 Greg Kroah-Hartman
2012-10-11 2:02 ` [ 07/84] kernel/sys.c: call disable_nonboot_cpus() in kernel_restart() Greg Kroah-Hartman
2012-10-11 2:02 ` [ 08/84] drivers/scsi/atp870u.c: fix bad use of udelay Greg Kroah-Hartman
2012-10-11 2:02 ` [ 09/84] workqueue: add missing smp_wmb() in process_one_work() Greg Kroah-Hartman
2012-10-11 2:02 ` [ 10/84] xfrm: Workaround incompatibility of ESN and async crypto Greg Kroah-Hartman
2012-10-11 2:02 ` [ 11/84] xfrm_user: return error pointer instead of NULL Greg Kroah-Hartman
2012-10-11 2:02 ` [ 12/84] xfrm_user: return error pointer instead of NULL #2 Greg Kroah-Hartman
2012-10-11 2:02 ` [ 13/84] xfrm: fix a read lock imbalance in make_blackhole Greg Kroah-Hartman
2012-10-11 2:02 ` [ 14/84] xfrm_user: fix info leak in copy_to_user_auth() Greg Kroah-Hartman
2012-10-11 2:02 ` [ 15/84] xfrm_user: fix info leak in copy_to_user_state() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 16/84] xfrm_user: fix info leak in copy_to_user_policy() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 17/84] xfrm_user: fix info leak in copy_to_user_tmpl() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 18/84] xfrm_user: dont copy esn replay window twice for new states Greg Kroah-Hartman
2012-10-11 2:03 ` [ 19/84] xfrm_user: ensure user supplied esn replay window is valid Greg Kroah-Hartman
2012-10-11 2:03 ` [ 20/84] net: ethernet: davinci_cpdma: decrease the desc count when cleaning up the remaining packets Greg Kroah-Hartman
2012-10-11 2:03 ` [ 21/84] ixp4xx_hss: fix build failure due to missing linux/module.h inclusion Greg Kroah-Hartman
2012-10-11 2:03 ` [ 22/84] netxen: check for root bus in netxen_mask_aer_correctable Greg Kroah-Hartman
2012-10-11 2:03 ` [ 23/84] net-sched: sch_cbq: avoid infinite loop Greg Kroah-Hartman
2012-10-11 2:03 ` [ 24/84] pkt_sched: fix virtual-start-time update in QFQ Greg Kroah-Hartman
2012-10-11 2:03 ` [ 25/84] sierra_net: Endianess bug fix Greg Kroah-Hartman
2012-10-11 2:03 ` [ 26/84] 8021q: fix mac_len recomputation in vlan_untag() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 27/84] ipv6: release reference of ip6_null_entrys dst entry in __ip6_del_rt Greg Kroah-Hartman
2012-10-11 2:03 ` [ 28/84] tcp: flush DMA queue before sk_wait_data if rcv_wnd is zero Greg Kroah-Hartman
2012-10-11 2:03 ` [ 29/84] sctp: Dont charge for data in sndbuf again when transmitting packet Greg Kroah-Hartman
2012-10-11 2:03 ` [ 30/84] pppoe: drop PPPOX_ZOMBIEs in pppoe_release Greg Kroah-Hartman
2012-10-11 2:03 ` [ 31/84] net: small bug on rxhash calculation Greg Kroah-Hartman
2012-10-11 2:03 ` [ 32/84] net: guard tcp_set_keepalive() to tcp sockets Greg Kroah-Hartman
2012-10-11 2:03 ` [ 33/84] ipv4: raw: fix icmp_filter() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 34/84] ipv6: raw: fix icmpv6_filter() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 35/84] ipv6: mip6: fix mip6_mh_filter() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 36/84] l2tp: fix a typo in l2tp_eth_dev_recv() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 37/84] netrom: copy_datagram_iovec can fail Greg Kroah-Hartman
2012-10-11 2:03 ` [ 38/84] net: do not disable sg for packets requiring no checksum Greg Kroah-Hartman
2012-10-11 2:03 ` [ 39/84] aoe: assert AoE packets marked as " Greg Kroah-Hartman
2012-10-11 2:03 ` [ 40/84] tg3: Fix TSO CAP for 5704 devs w / ASF enabled Greg Kroah-Hartman
2012-10-11 2:03 ` [ 41/84] SCSI: zfcp: Make trace record tags unique Greg Kroah-Hartman
2012-10-11 2:03 ` [ 42/84] SCSI: zfcp: Do not wakeup while suspended Greg Kroah-Hartman
2012-10-11 2:03 ` [ 43/84] SCSI: zfcp: remove invalid reference to list iterator variable Greg Kroah-Hartman
2012-10-11 2:03 ` [ 44/84] SCSI: zfcp: restore refcount check on port_remove Greg Kroah-Hartman
2012-10-11 2:03 ` [ 45/84] SCSI: zfcp: only access zfcp_scsi_dev for valid scsi_device Greg Kroah-Hartman
2012-10-11 2:03 ` [ 46/84] PCI: Check P2P bridge for invalid secondary/subordinate range Greg Kroah-Hartman
2012-10-11 2:03 ` [ 47/84] ext4: online defrag is not supported for journaled files Greg Kroah-Hartman
2012-10-11 2:03 ` [ 48/84] ext4: always set i_op in ext4_mknod() Greg Kroah-Hartman
2012-10-11 2:03 ` [ 49/84] ext4: fix fdatasync() for files with only i_size changes Greg Kroah-Hartman
2012-10-11 2:03 ` [ 50/84] ASoC: wm9712: Fix name of Capture Switch Greg Kroah-Hartman
2012-10-11 2:03 ` [ 51/84] mm: fix invalidate_complete_page2() lock ordering Greg Kroah-Hartman
2012-10-11 2:03 ` [ 52/84] mm: thp: fix pmd_present for split_huge_page and PROT_NONE with THP Greg Kroah-Hartman
2012-10-11 2:03 ` [ 53/84] ALSA: aloop - add locking to timer access Greg Kroah-Hartman
2012-10-11 2:03 ` [ 54/84] ALSA: usb - disable broken hw volume for Tenx TP6911 Greg Kroah-Hartman
2012-10-11 2:03 ` [ 55/84] ALSA: USB: Support for (original) Xbox Communicator Greg Kroah-Hartman
2012-10-11 2:03 ` [ 56/84] drm/radeon: only adjust default clocks on NI GPUs Greg Kroah-Hartman
2012-10-11 2:03 ` [ 57/84] drm/radeon: Add MSI quirk for gateway RS690 Greg Kroah-Hartman
2012-10-11 2:03 ` [ 58/84] drm/radeon: force MSIs on RS690 asics Greg Kroah-Hartman
2012-10-11 2:03 ` [ 59/84] rcu: Fix day-one dyntick-idle stall-warning bug Greg Kroah-Hartman
2012-10-11 2:03 ` [ 60/84] r8169: fix wake on lan setting for non-8111E Greg Kroah-Hartman
2012-10-11 7:15 ` Jonathan Nieder
2012-10-11 10:59 ` Greg Kroah-Hartman
2012-10-11 2:03 ` [ 61/84] r8169: dont enable rx when shutdown Greg Kroah-Hartman
2012-10-11 2:03 ` [ 62/84] r8169: remove erroneous processing of always set bit Greg Kroah-Hartman
2012-10-11 2:03 ` [ 63/84] r8169: jumbo fixes Greg Kroah-Hartman
2012-10-11 2:03 ` [ 64/84] r8169: expand received packet length indication Greg Kroah-Hartman
2012-10-11 2:03 ` [ 65/84] r8169: increase the delay parameter of pm_schedule_suspend Greg Kroah-Hartman
2012-10-11 2:03 ` [ 66/84] r8169: Rx FIFO overflow fixes Greg Kroah-Hartman
2012-10-11 2:03 ` [ 67/84] r8169: fix Config2 MSIEnable bit setting Greg Kroah-Hartman
2012-10-11 2:03 ` [ 68/84] r8169: missing barriers Greg Kroah-Hartman
2012-10-11 2:03 ` [ 69/84] r8169: runtime resume before shutdown Greg Kroah-Hartman
2012-10-11 2:03 ` [ 70/84] r8169: Config1 is read-only on 8168c and later Greg Kroah-Hartman
2012-10-11 2:03 ` [ 71/84] r8169: 8168c and later require bit 0x20 to be set in Config2 for PME signaling Greg Kroah-Hartman
2012-10-11 2:03 ` [ 72/84] r8169: fix unsigned int wraparound with TSO Greg Kroah-Hartman
2012-10-11 2:03 ` [ 73/84] r8169: call netif_napi_del at errpaths and at driver unload Greg Kroah-Hartman
2012-10-11 2:03 ` [ 74/84] revert "mm: mempolicy: Let vma_merge and vma_split handle vma->vm_policy linkages" Greg Kroah-Hartman
2012-10-11 2:03 ` [ 75/84] mempolicy: remove mempolicy sharing Greg Kroah-Hartman
2012-10-11 2:04 ` Greg Kroah-Hartman [this message]
2012-10-11 2:04 ` [ 77/84] mempolicy: fix refcount leak in mpol_set_shared_policy() Greg Kroah-Hartman
2012-10-11 2:04 ` [ 78/84] mempolicy: fix a memory corruption by refcount imbalance in alloc_pages_vma() Greg Kroah-Hartman
2012-10-11 2:04 ` [ 79/84] CPU hotplug, cpusets, suspend: Dont modify cpusets during suspend/resume Greg Kroah-Hartman
2012-10-11 2:04 ` [ 80/84] mtd: autcpu12-nvram: Fix compile breakage Greg Kroah-Hartman
2012-10-11 2:04 ` [ 81/84] mtd: nandsim: bugfix: fail if overridesize is too big Greg Kroah-Hartman
2012-10-11 2:04 ` [ 82/84] mtd: nand: Use the mirror BBT descriptor when reading its version Greg Kroah-Hartman
2012-10-11 2:04 ` [ 83/84] mtd: omap2: fix omap_nand_remove segfault Greg Kroah-Hartman
2012-10-11 2:04 ` [ 84/84] mtd: omap2: fix module loading Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121011015430.744047863@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cl@linux.com \
--cc=jwboyer@gmail.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox