From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jan Stancek <jstancek@redhat.com>,
David Rientjes <rientjes@google.com>,
Hugh Dickins <hughd@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [ 26/29] mm: prevent mmap_cache race in find_vma()
Date: Wed, 10 Apr 2013 15:49:44 -0700 [thread overview]
Message-ID: <20130410224806.782757072@linuxfoundation.org> (raw)
In-Reply-To: <20130410224804.061806042@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Stancek <jstancek@redhat.com>
commit b6a9b7f6b1f21735a7456d534dc0e68e61359d2c upstream.
find_vma() can be called by multiple threads with read lock
held on mm->mmap_sem and any of them can update mm->mmap_cache.
Prevent compiler from re-fetching mm->mmap_cache, because other
readers could update it in the meantime:
thread 1 thread 2
|
find_vma() | find_vma()
struct vm_area_struct *vma = NULL; |
vma = mm->mmap_cache; |
if (!(vma && vma->vm_end > addr |
&& vma->vm_start <= addr)) { |
| mm->mmap_cache = vma;
return vma; |
^^ compiler may optimize this |
local variable out and re-read |
mm->mmap_cache |
This issue can be reproduced with gcc-4.8.0-1 on s390x by running
mallocstress testcase from LTP, which triggers:
kernel BUG at mm/rmap.c:1088!
Call Trace:
([<000003d100c57000>] 0x3d100c57000)
[<000000000023a1c0>] do_wp_page+0x2fc/0xa88
[<000000000023baae>] handle_pte_fault+0x41a/0xac8
[<000000000023d832>] handle_mm_fault+0x17a/0x268
[<000000000060507a>] do_protection_exception+0x1e2/0x394
[<0000000000603a04>] pgm_check_handler+0x138/0x13c
[<000003fffcf1f07a>] 0x3fffcf1f07a
Last Breaking-Event-Address:
[<000000000024755e>] page_add_new_anon_rmap+0xc2/0x168
Thanks to Jakub Jelinek for his insight on gcc and helping to
track this down.
Signed-off-by: Jan Stancek <jstancek@redhat.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2: adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mmap.c | 2 +-
mm/nommu.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1619,7 +1619,7 @@ struct vm_area_struct *find_vma(struct m
if (mm) {
/* Check the cache first. */
/* (Cache hit rate is typically around 35%.) */
- vma = mm->mmap_cache;
+ vma = ACCESS_ONCE(mm->mmap_cache);
if (!(vma && vma->vm_end > addr && vma->vm_start <= addr)) {
struct rb_node * rb_node;
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -807,7 +807,7 @@ struct vm_area_struct *find_vma(struct m
struct vm_area_struct *vma;
/* check the cache first */
- vma = mm->mmap_cache;
+ vma = ACCESS_ONCE(mm->mmap_cache);
if (vma && vma->vm_start <= addr && vma->vm_end > addr)
return vma;
next prev parent reply other threads:[~2013-04-10 22:49 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-10 22:49 [ 00/29] 3.4.40-stable review Greg Kroah-Hartman
2013-04-10 22:49 ` [ 01/29] ASoC: dma-sh7760: Fix compile error Greg Kroah-Hartman
2013-04-10 22:49 ` [ 02/29] regmap: cache Fix regcache-rbtree sync Greg Kroah-Hartman
2013-04-10 22:49 ` [ 03/29] spi/s3c64xx: modified error interrupt handling and init Greg Kroah-Hartman
2013-04-10 22:49 ` [ 04/29] spi/mpc512x-psc: optionally keep PSC SS asserted across xfer segmensts Greg Kroah-Hartman
2013-04-10 22:49 ` [ 05/29] UBIFS: make space fixup work in the remount case Greg Kroah-Hartman
2013-04-10 22:49 ` [ 06/29] reiserfs: Fix warning and inode leak when deleting inode with xattrs Greg Kroah-Hartman
2013-04-10 22:49 ` [ 07/29] ALSA: hda - bug fix on return value when getting HDMI ELD info Greg Kroah-Hartman
2013-04-10 22:49 ` [ 08/29] ALSA: hda - Enabling Realtek ALC 671 codec Greg Kroah-Hartman
2013-04-10 22:49 ` [ 09/29] ALSA: hda - fix typo in proc output Greg Kroah-Hartman
2013-04-10 22:49 ` [ 10/29] EISA/PCI: Init EISA early, before PNP Greg Kroah-Hartman
2013-04-10 22:49 ` [ 11/29] EISA/PCI: Fix bus res reference Greg Kroah-Hartman
2013-04-10 22:49 ` [ 12/29] libata: Use integer return value for atapi_command_packet_set Greg Kroah-Hartman
2013-04-10 22:49 ` [ 13/29] libata: Set max sector to 65535 for Slimtype DVD A DS8A8SH drive Greg Kroah-Hartman
2013-04-10 22:49 ` [ 14/29] alpha: Add irongate_io to PCI bus resources Greg Kroah-Hartman
2013-04-10 22:49 ` [ 15/29] ata_piix: Fix DVD not dectected at some Haswell platforms Greg Kroah-Hartman
2013-04-10 22:49 ` [ 16/29] ftrace: Consistently restore trace function on sysctl enabling Greg Kroah-Hartman
2013-04-10 22:49 ` [ 17/29] powerpc: pSeries_lpar_hpte_remove fails from Adjunct partition being performed before the ANDCOND test Greg Kroah-Hartman
2013-04-10 22:49 ` [ 18/29] x86: remove the x32 syscall bitmask from syscall_get_nr() Greg Kroah-Hartman
2013-04-10 22:49 ` [ 19/29] hwspinlock: fix __hwspin_lock_request error path Greg Kroah-Hartman
2013-04-10 22:49 ` [ 20/29] spinlocks and preemption points need to be at least compiler barriers Greg Kroah-Hartman
2013-04-10 22:49 ` [ 21/29] crypto: gcm - fix assumption that assoc has one segment Greg Kroah-Hartman
2013-04-10 22:49 ` [ 22/29] block: avoid using uninitialized value in from queue_var_store Greg Kroah-Hartman
2013-04-10 22:49 ` [ 23/29] x86: Fix rebuild with EFI_STUB enabled Greg Kroah-Hartman
2013-04-10 22:49 ` [ 24/29] thermal: return an error on failure to register thermal class Greg Kroah-Hartman
2013-04-10 22:49 ` [ 25/29] panic: fix a possible deadlock in panic() Greg Kroah-Hartman
2013-04-10 22:49 ` Greg Kroah-Hartman [this message]
2013-04-10 22:49 ` [ 27/29] Revert "mwifiex: cancel cmd timer and free curr_cmd in shutdown process Greg Kroah-Hartman
2013-04-10 22:49 ` [ 28/29] can: gw: use kmem_cache_free() instead of kfree() Greg Kroah-Hartman
2013-04-10 22:49 ` [ 29/29] rt2x00: rt2x00pci_regbusy_read() - only print register access failure once Greg Kroah-Hartman
2013-04-11 16:29 ` [ 00/29] 3.4.40-stable review Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130410224806.782757072@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=hughd@google.com \
--cc=jstancek@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rientjes@google.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).