From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Gu Zheng <guz.fnst@cn.fujitsu.com>,
Taku Izumi <izumi.taku@jp.fujitsu.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Tang Chen <tangchen@cn.fujitsu.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.0 090/105] mm/memory_hotplug.c: set zone->wait_table to null after freeing it
Date: Fri, 19 Jun 2015 13:36:20 -0700 [thread overview]
Message-ID: <20150619203600.821306151@linuxfoundation.org> (raw)
In-Reply-To: <20150619203558.187802739@linuxfoundation.org>
4.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gu Zheng <guz.fnst@cn.fujitsu.com>
commit 85bd839983778fcd0c1c043327b14a046e979b39 upstream.
Izumi found the following oops when hot re-adding a node:
BUG: unable to handle kernel paging request at ffffc90008963690
IP: __wake_up_bit+0x20/0x70
Oops: 0000 [#1] SMP
CPU: 68 PID: 1237 Comm: rs:main Q:Reg Not tainted 4.1.0-rc5 #80
Hardware name: FUJITSU PRIMEQUEST2800E/SB, BIOS PRIMEQUEST 2000 Series BIOS Version 1.87 04/28/2015
task: ffff880838df8000 ti: ffff880017b94000 task.ti: ffff880017b94000
RIP: 0010:[<ffffffff810dff80>] [<ffffffff810dff80>] __wake_up_bit+0x20/0x70
RSP: 0018:ffff880017b97be8 EFLAGS: 00010246
RAX: ffffc90008963690 RBX: 00000000003c0000 RCX: 000000000000a4c9
RDX: 0000000000000000 RSI: ffffea101bffd500 RDI: ffffc90008963648
RBP: ffff880017b97c08 R08: 0000000002000020 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a0797c73800
R13: ffffea101bffd500 R14: 0000000000000001 R15: 00000000003c0000
FS: 00007fcc7ffff700(0000) GS:ffff880874800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90008963690 CR3: 0000000836761000 CR4: 00000000001407e0
Call Trace:
unlock_page+0x6d/0x70
generic_write_end+0x53/0xb0
xfs_vm_write_end+0x29/0x80 [xfs]
generic_perform_write+0x10a/0x1e0
xfs_file_buffered_aio_write+0x14d/0x3e0 [xfs]
xfs_file_write_iter+0x79/0x120 [xfs]
__vfs_write+0xd4/0x110
vfs_write+0xac/0x1c0
SyS_write+0x58/0xd0
system_call_fastpath+0x12/0x76
Code: 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 48 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 45 f8 31 c0 48 8d 47 48 <48> 39 47 48 48 c7 45 e8 00 00 00 00 48 c7 45 f0 00 00 00 00 48
RIP [<ffffffff810dff80>] __wake_up_bit+0x20/0x70
RSP <ffff880017b97be8>
CR2: ffffc90008963690
Reproduce method (re-add a node)::
Hot-add nodeA --> remove nodeA --> hot-add nodeA (panic)
This seems an use-after-free problem, and the root cause is
zone->wait_table was not set to *NULL* after free it in
try_offline_node.
When hot re-add a node, we will reuse the pgdat of it, so does the zone
struct, and when add pages to the target zone, it will init the zone
first (including the wait_table) if the zone is not initialized. The
judgement of zone initialized is based on zone->wait_table:
static inline bool zone_is_initialized(struct zone *zone)
{
return !!zone->wait_table;
}
so if we do not set the zone->wait_table to *NULL* after free it, the
memory hotplug routine will skip the init of new zone when hot re-add
the node, and the wait_table still points to the freed memory, then we
will access the invalid address when trying to wake up the waiting
people after the i/o operation with the page is done, such as mentioned
above.
Signed-off-by: Gu Zheng <guz.fnst@cn.fujitsu.com>
Reported-by: Taku Izumi <izumi.taku@jp.fujitsu.com>
Reviewed by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Tang Chen <tangchen@cn.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memory_hotplug.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1978,8 +1978,10 @@ void try_offline_node(int nid)
* wait_table may be allocated from boot memory,
* here only free if it's allocated by vmalloc.
*/
- if (is_vmalloc_addr(zone->wait_table))
+ if (is_vmalloc_addr(zone->wait_table)) {
vfree(zone->wait_table);
+ zone->wait_table = NULL;
+ }
}
}
EXPORT_SYMBOL(try_offline_node);
--
To unsubscribe from this list: send the line "unsubscribe stable" in
next prev parent reply other threads:[~2015-06-19 21:06 UTC|newest]
Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-19 20:34 [PATCH 4.0 000/105] 4.0.6-stable review Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 001/105] crush: ensuring at most num-rep osds are selected Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 002/105] aio: fix serial draining in exit_aio() Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 003/105] net: core: Correct an over-stringent device loop detection Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 004/105] x86: bpf_jit: fix FROM_BE16 and FROM_LE16/32 instructions Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 005/105] x86: bpf_jit: fix compilation of large bpf programs Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 006/105] net: phy: Allow EEE for all RGMII variants Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 007/105] netlink: Reset portid after netlink_insert failure Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 008/105] rtnl/bond: dont send rtnl msg for unregistered iface Greg Kroah-Hartman
2015-06-19 20:34 ` [PATCH 4.0 009/105] tcp/ipv6: fix flow label setting in TIME_WAIT state Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 010/105] net/ipv6/udp: Fix ipv6 multicast socket filter regression Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 011/105] net: sched: fix call_rcu() race on classifier module unloads Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 012/105] ipv4: Avoid crashing in ip_error Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 014/105] bridge: fix parsing of MLDv2 reports Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 015/105] net: dp83640: fix broken calibration routine Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 016/105] net: dp83640: reinforce locking rules Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 017/105] net: dp83640: fix improper double spin locking Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 018/105] unix/caif: sk_socket can disappear when state is unlocked Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 019/105] xen/netback: Properly initialize credit_bytes Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 020/105] net_sched: invoke ->attach() after setting dev->qdisc Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 021/105] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 023/105] udp: fix behavior of wrong checksums Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 024/105] tcp: fix child sockets to use system default congestion control if not set Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 025/105] xen: netback: read hotplug script once at start of day Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 026/105] ipv4/udp: Verify multicast group is ours in upd_v4_early_demux() Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 027/105] be2net: Replace dma/pci_alloc_coherent() calls with dma_zalloc_coherent() Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 028/105] bridge: disable softirqs around br_fdb_update to avoid lockup Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 029/105] netlink: Disable insertions/removals during rehash Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 030/105] iio: adc: twl6030-gpadc: Fix modalias Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 031/105] iio: adis16400: Report pressure channel scale Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 032/105] iio: adis16400: Use != channel indices for the two voltage channels Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 033/105] iio: adis16400: Compute the scan mask from channel indices Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 034/105] iio: adis16400: Fix burst mode Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 035/105] iio: adis16400: Fix burst transfer for adis16448 Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 036/105] drivers/base: cacheinfo: handle absence of caches Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 038/105] iommu/vt-d: Allow RMRR on graphics devices too Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 039/105] iommu/vt-d: Fix passthrough mode with translation-disabled devices Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 040/105] ALSA: hda/realtek - Add a fixup for another Acer Aspire 9420 Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 041/105] ALSA: usb-audio: Add mic volume fix quirk for Logitech Quickcam Fusion Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 042/105] ALSA: usb-audio: dont try to get Outlaw RR2150 sample rate Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 043/105] ALSA: usb-audio: add MAYA44 USB+ mixer control names Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 044/105] ALSA: usb-audio: fix missing input volume controls in MAYA44 USB(+) Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 045/105] ALSA: usb-audio: add native DSD support for JLsounds I2SoverUSB Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 046/105] dmaengine: pl330: Fix hang on dmaengine_terminate_all on certain boards Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 047/105] dmaengine: Fix choppy sound because of unimplemented resume Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 048/105] dmaengine: at_xdmac: rework slave configuration part Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 049/105] dmaengine: at_xdmac: lock fixes Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 050/105] i2c: hix5hd2: Fix modalias to make module auto-loading work Greg Kroah-Hartman
2015-06-22 14:23 ` Paul Bolle
2015-06-22 15:43 ` Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 051/105] i2c: s3c2410: fix oops in suspend callback for non-dt platforms Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 052/105] Input: alps - do not reduce trackpoint speed by half Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 053/105] Input: synaptics - add min/max quirk for Lenovo S540 Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 055/105] Input: elantech - add new icbody type Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 056/105] block: fix ext_dev_lock lockdep report Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 057/105] block: discard bdi_unregister() in favour of bdi_destroy() Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 058/105] USB: cp210x: add ID for HubZ dual ZigBee and Z-Wave dongle Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 059/105] USB: serial: ftdi_sio: Add support for a Motion Tracker Development Board Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 060/105] usb: dwc3: gadget: Fix incorrect DEPCMD and DGCMD status macros Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 061/105] usb: host: xhci: add mutex for non-thread-safe data Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 062/105] usb: make module xhci_hcd removable Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 063/105] x86/asm/irq: Stop relying on magic JMP behavior for early_idt_handlers Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 064/105] ring-buffer-benchmark: Fix the wrong sched_priority of producer Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 065/105] MIPS: ralink: Fix clearing the illegal access interrupt Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 066/105] MIPS: Fix enabling of DEBUG_STACKOVERFLOW Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 067/105] MIPS: KVM: Do not sign extend on unsigned MMIO load Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 068/105] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman
2015-06-19 20:35 ` [PATCH 4.0 069/105] ozwpan: Use unsigned ints " Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 070/105] ozwpan: divide-by-zero leading to panic Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 071/105] ozwpan: unchecked signed subtraction leads to DoS Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 072/105] pata_octeon_cf: fix broken build Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 073/105] ARM: dts: am335x-boneblack: disable RTC-only sleep to avoid hardware damage Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 074/105] drm/amdkfd: fix topology bug with capability attr Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 075/105] drm/radeon: use proper ACR regisiter for DCE3.2 Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 076/105] drm/i915/hsw: Fix workaround for server AUX channel clock divisor Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 080/105] Revert "drm/radeon: dont share plls if monitors differ in audio support" Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 081/105] Revert "drm/radeon: adjust pll when audio is not enabled" Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 083/105] serial: imx: Fix DMA handling for IDLE condition aborts Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 084/105] of/dynamic: Fix test for PPC_PSERIES Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 085/105] virtio_pci: Clear stale cpumask when setting irq affinity Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 086/105] ata: ahci_mvebu: Fix wrongly set base address for the MBus window setting Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 087/105] bus: mvebu-mbus: do not set WIN_CTRL_SYNCBARRIER on non io-coherent platforms Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 088/105] Revert "bus: mvebu-mbus: make sure SDRAM CS for DMA dont overlap the MBus bridge window" Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 089/105] arm64: dts: mt8173-evb: fix model name Greg Kroah-Hartman
2015-06-19 20:36 ` Greg Kroah-Hartman [this message]
2015-06-19 20:36 ` [PATCH 4.0 091/105] md: Close race when setting action to idle Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 092/105] md: dont return 0 from array_state_store Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 093/105] sched, numa: do not hint for NUMA balancing on VM_MIXEDMAP mappings Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 094/105] blk-mq: free hctx->ctxs in queues release handler Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 095/105] cfg80211: wext: clear sinfo struct before calling driver Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 096/105] irqchip: sunxi-nmi: Fix off-by-one error in irq iterator Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 097/105] x86/vdso: Fix the x86 vdso2c tool includes Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 098/105] x86/vdso: Fix make bzImage on older distros Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 099/105] Btrfs: send, add missing check for dead clone root Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 100/105] Btrfs: send, dont leave without decrementing clone roots send_progress Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 101/105] btrfs: incorrect handling for fiemap_fill_next_extent return Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 102/105] btrfs: cleanup orphans while looking up default subvolume Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 103/105] Btrfs: fix range cloning when same inode used as source and destination Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 104/105] Btrfs: fix uninit variable in clone ioctl Greg Kroah-Hartman
2015-06-19 20:36 ` [PATCH 4.0 105/105] Btrfs: fix regression in raid level conversion Greg Kroah-Hartman
2015-06-20 1:12 ` [PATCH 4.0 000/105] 4.0.6-stable review Shuah Khan
2015-06-22 15:41 ` Greg Kroah-Hartman
2015-06-20 1:27 ` Guenter Roeck
2015-06-22 15:42 ` Greg Kroah-Hartman
2015-06-20 7:48 ` Sudip Mukherjee
2015-06-22 15:42 ` Greg Kroah-Hartman
2015-06-22 16:07 ` Sudip Mukherjee
2015-06-22 16:13 ` Greg Kroah-Hartman
2015-06-20 7:58 ` Heinz Diehl
2015-06-20 14:43 ` Greg Kroah-Hartman
2015-06-20 17:18 ` Heinz Diehl
2015-06-20 19:16 ` Greg Kroah-Hartman
[not found] ` <20150619203600.449494173@linuxfoundation.org>
2015-06-23 7:29 ` [PATCH 4.0 077/105] drm/i915: Dont skip request retirement if the active list is empty Jani Nikula
2015-06-24 14:58 ` Greg Kroah-Hartman
2015-06-25 7:34 ` Jani Nikula
2015-06-25 14:48 ` Greg Kroah-Hartman
2015-06-25 15:22 ` Jani Nikula
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150619203600.821306151@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=guz.fnst@cn.fujitsu.com \
--cc=izumi.taku@jp.fujitsu.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tangchen@cn.fujitsu.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).