[ 03/13] mm/filemap_xip.c: fix race condition in xip_file_fault()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Carsten Otte <cotte@de.ibm.com>, Hugh Dickins <hughd@google.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [ 03/13] mm/filemap_xip.c: fix race condition in xip_file_fault()
Date: Mon, 12 Mar 2012 01:44:14 +0100	[thread overview]
Message-ID: <20120312004411.443637720@1wt.eu> (raw)
In-Reply-To: <fec4dd6c17083169f2e217caca7375ef@local>

2.6.27-longterm review patch.  If anyone has any objections, please let me know.

------------------

From: Carsten Otte <carsteno@de.ibm.com>

commit 99f02ef1f18631eb0a4e0ea0a3d56878dbcb4b90 upstream.

Fix a race condition that shows in conjunction with xip_file_fault() when
two threads of the same user process fault on the same memory page.

In this case, the race winner will install the page table entry and the
unlucky loser will cause an oops: xip_file_fault calls vm_insert_pfn (via
vm_insert_mixed) which drops out at this check:

	retval = -EBUSY;
	if (!pte_none(*pte))
		goto out_unlock;

The resulting -EBUSY return value will trigger a BUG_ON() in
xip_file_fault.

This fix simply considers the fault as fixed in this case, because the
race winner has successfully installed the pte.

[akpm@linux-foundation.org: use conventional (and consistent) comment layout]
Reported-by: David Sadler <dsadler@us.ibm.com>
Signed-off-by: Carsten Otte <cotte@de.ibm.com>
Reported-by: Louis Alex Eisner <leisner@cs.ucsd.edu>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/filemap_xip.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/mm/filemap_xip.c b/mm/filemap_xip.c
index 1888b2d..e395030 100644
--- a/mm/filemap_xip.c
+++ b/mm/filemap_xip.c
@@ -262,7 +262,12 @@ found:
 							xip_pfn);
 		if (err == -ENOMEM)
 			return VM_FAULT_OOM;
-		BUG_ON(err);
+		/*
+		 * err == -EBUSY is fine, we've raced against another thread
+		 * that faulted-in the same page
+		 */
+		if (err != -EBUSY)
+			BUG_ON(err);
 		return VM_FAULT_NOPAGE;
 	} else {
 		int err, ret = VM_FAULT_OOM;
-- 
1.7.2.1.45.g54fbc

next prev parent reply	other threads:[~2012-03-12  0:44 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <fec4dd6c17083169f2e217caca7375ef@local>
2012-03-12  0:44 ` [ 00/13] 2.6.27.62-longterm review Willy Tarreau
2012-03-12  0:44 ` [ 01/13] powerpc: Add more Power7 specific definitions Willy Tarreau
2012-03-12  0:44 ` [ 02/13] IB/mlx4: pass SMP vendor-specific attribute MADs to firmware Willy Tarreau
2012-03-12  0:44 ` Willy Tarreau [this message]
2012-03-12  0:44 ` [ 04/13] udf: Mark LVID buffer as uptodate before marking it dirty Willy Tarreau
2012-03-12  0:44 ` [ 05/13] eCryptfs: Infinite loop due to overflow in ecryptfs_write() Willy Tarreau
2012-03-12  0:44 ` [ 06/13] eCryptfs: Remove mmap from directory operations Willy Tarreau
2012-03-12  0:44 ` [ 07/13] ecryptfs: read on a directory should return EISDIR if not supported Willy Tarreau
2012-03-12  0:44 ` [ 08/13] eCryptfs: Remove extra d_delete in ecryptfs_rmdir Willy Tarreau
2012-03-12  0:44 ` [ 09/13] eCryptfs: Clear i_nlink in rmdir Willy Tarreau
2012-03-12  0:44 ` [ 10/13] atmel_lcdfb: fix usage of CONTRAST_CTR in suspend/resume Willy Tarreau
2012-03-12  0:44 ` [ 11/13] lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel Willy Tarreau
2012-03-12  0:44 ` [ 12/13] relay: prevent integer overflow in relay_open() Willy Tarreau
2012-03-12  0:44 ` [ 13/13] cdrom: use copy_to_user() without the underscores Willy Tarreau

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1888b2d dfblob:e395030 )
 OR (
bs:"[ 03/13] mm/filemap_xip.c: fix race condition in xip_file_fault()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120312004411.443637720@1wt.eu \
    --to=w@1wt.eu \
    --cc=akpm@linux-foundation.org \
    --cc=cotte@de.ibm.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hughd@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).