aboutsummaryrefslogtreecommitdiffstats
path: root/arch
diff options
context:
space:
mode:
authorPeter Zijlstra <a.p.zijlstra@chello.nl>2010-10-27 18:32:58 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2010-10-27 21:03:05 -0400
commit20273941f2129aa5a432796d98a276ed73d60782 (patch)
tree85da0d951ac10f239f81ad7f69559fdeb692095b /arch
parenta8e23a291852cd7c4fb5ca696dbb93912185ad10 (diff)
mm: fix race in kunmap_atomic()
Christoph reported a nice splat which illustrated a race in the new stack based kmap_atomic implementation. The problem is that we pop our stack slot before we're completely done resetting its state -- in particular clearing the PTE (sometimes that's CONFIG_DEBUG_HIGHMEM). If an interrupt happens before we actually clear the PTE used for the last slot, that interrupt can reuse the slot in a dirty state, which triggers a BUG in kmap_atomic(). Fix this by introducing kmap_atomic_idx() which reports the current slot index without actually releasing it and use that to find the PTE and delay the _pop() until after we're completely done. Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Reported-by: Christoph Hellwig <hch@infradead.org> Acked-by: Rik van Riel <riel@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'arch')
-rw-r--r--arch/arm/mm/highmem.c3
-rw-r--r--arch/frv/mm/highmem.c3
-rw-r--r--arch/mips/mm/highmem.c3
-rw-r--r--arch/mn10300/include/asm/highmem.h4
-rw-r--r--arch/powerpc/mm/highmem.c4
-rw-r--r--arch/sparc/mm/highmem.c4
-rw-r--r--arch/tile/mm/highmem.c3
-rw-r--r--arch/x86/mm/highmem_32.c3
-rw-r--r--arch/x86/mm/iomap_32.c3
9 files changed, 21 insertions, 9 deletions
diff --git a/arch/arm/mm/highmem.c b/arch/arm/mm/highmem.c
index c00f119babb..c435fd9e1da 100644
--- a/arch/arm/mm/highmem.c
+++ b/arch/arm/mm/highmem.c
@@ -89,7 +89,7 @@ void __kunmap_atomic(void *kvaddr)
89 int idx, type; 89 int idx, type;
90 90
91 if (kvaddr >= (void *)FIXADDR_START) { 91 if (kvaddr >= (void *)FIXADDR_START) {
92 type = kmap_atomic_idx_pop(); 92 type = kmap_atomic_idx();
93 idx = type + KM_TYPE_NR * smp_processor_id(); 93 idx = type + KM_TYPE_NR * smp_processor_id();
94 94
95 if (cache_is_vivt()) 95 if (cache_is_vivt())
@@ -101,6 +101,7 @@ void __kunmap_atomic(void *kvaddr)
101#else 101#else
102 (void) idx; /* to kill a warning */ 102 (void) idx; /* to kill a warning */
103#endif 103#endif
104 kmap_atomic_idx_pop();
104 } else if (vaddr >= PKMAP_ADDR(0) && vaddr < PKMAP_ADDR(LAST_PKMAP)) { 105 } else if (vaddr >= PKMAP_ADDR(0) && vaddr < PKMAP_ADDR(LAST_PKMAP)) {
105 /* this address was obtained through kmap_high_get() */ 106 /* this address was obtained through kmap_high_get() */
106 kunmap_high(pte_page(pkmap_page_table[PKMAP_NR(vaddr)])); 107 kunmap_high(pte_page(pkmap_page_table[PKMAP_NR(vaddr)]));
diff --git a/arch/frv/mm/highmem.c b/arch/frv/mm/highmem.c
index 61088dcc159..fd7fcd4c2e3 100644
--- a/arch/frv/mm/highmem.c
+++ b/arch/frv/mm/highmem.c
@@ -68,7 +68,7 @@ EXPORT_SYMBOL(__kmap_atomic);
68 68
69void __kunmap_atomic(void *kvaddr) 69void __kunmap_atomic(void *kvaddr)
70{ 70{
71 int type = kmap_atomic_idx_pop(); 71 int type = kmap_atomic_idx();
72 switch (type) { 72 switch (type) {
73 case 0: __kunmap_atomic_primary(4, 6); break; 73 case 0: __kunmap_atomic_primary(4, 6); break;
74 case 1: __kunmap_atomic_primary(5, 7); break; 74 case 1: __kunmap_atomic_primary(5, 7); break;
@@ -83,6 +83,7 @@ void __kunmap_atomic(void *kvaddr)
83 default: 83 default:
84 BUG(); 84 BUG();
85 } 85 }
86 kmap_atomic_idx_pop();
86 pagefault_enable(); 87 pagefault_enable();
87} 88}
88EXPORT_SYMBOL(__kunmap_atomic); 89EXPORT_SYMBOL(__kunmap_atomic);
diff --git a/arch/mips/mm/highmem.c b/arch/mips/mm/highmem.c
index 1e69b1fb4b8..3634c7ea06a 100644
--- a/arch/mips/mm/highmem.c
+++ b/arch/mips/mm/highmem.c
@@ -74,7 +74,7 @@ void __kunmap_atomic(void *kvaddr)
74 return; 74 return;
75 } 75 }
76 76
77 type = kmap_atomic_idx_pop(); 77 type = kmap_atomic_idx();
78#ifdef CONFIG_DEBUG_HIGHMEM 78#ifdef CONFIG_DEBUG_HIGHMEM
79 { 79 {
80 int idx = type + KM_TYPE_NR * smp_processor_id(); 80 int idx = type + KM_TYPE_NR * smp_processor_id();
@@ -89,6 +89,7 @@ void __kunmap_atomic(void *kvaddr)
89 local_flush_tlb_one(vaddr); 89 local_flush_tlb_one(vaddr);
90 } 90 }
91#endif 91#endif
92 kmap_atomic_idx_pop();
92 pagefault_enable(); 93 pagefault_enable();
93} 94}
94EXPORT_SYMBOL(__kunmap_atomic); 95EXPORT_SYMBOL(__kunmap_atomic);
diff --git a/arch/mn10300/include/asm/highmem.h b/arch/mn10300/include/asm/highmem.h
index f577ba2268c..e2155e68645 100644
--- a/arch/mn10300/include/asm/highmem.h
+++ b/arch/mn10300/include/asm/highmem.h
@@ -101,7 +101,7 @@ static inline void __kunmap_atomic(unsigned long vaddr)
101 return; 101 return;
102 } 102 }
103 103
104 type = kmap_atomic_idx_pop(); 104 type = kmap_atomic_idx();
105 105
106#if HIGHMEM_DEBUG 106#if HIGHMEM_DEBUG
107 { 107 {
@@ -119,6 +119,8 @@ static inline void __kunmap_atomic(unsigned long vaddr)
119 __flush_tlb_one(vaddr); 119 __flush_tlb_one(vaddr);
120 } 120 }
121#endif 121#endif
122
123 kmap_atomic_idx_pop();
122 pagefault_enable(); 124 pagefault_enable();
123} 125}
124#endif /* __KERNEL__ */ 126#endif /* __KERNEL__ */
diff --git a/arch/powerpc/mm/highmem.c b/arch/powerpc/mm/highmem.c
index b0848b462bb..e7450bdbe83 100644
--- a/arch/powerpc/mm/highmem.c
+++ b/arch/powerpc/mm/highmem.c
@@ -62,7 +62,7 @@ void __kunmap_atomic(void *kvaddr)
62 return; 62 return;
63 } 63 }
64 64
65 type = kmap_atomic_idx_pop(); 65 type = kmap_atomic_idx();
66 66
67#ifdef CONFIG_DEBUG_HIGHMEM 67#ifdef CONFIG_DEBUG_HIGHMEM
68 { 68 {
@@ -79,6 +79,8 @@ void __kunmap_atomic(void *kvaddr)
79 local_flush_tlb_page(NULL, vaddr); 79 local_flush_tlb_page(NULL, vaddr);
80 } 80 }
81#endif 81#endif
82
83 kmap_atomic_idx_pop();
82 pagefault_enable(); 84 pagefault_enable();
83} 85}
84EXPORT_SYMBOL(__kunmap_atomic); 86EXPORT_SYMBOL(__kunmap_atomic);
diff --git a/arch/sparc/mm/highmem.c b/arch/sparc/mm/highmem.c
index 5e50c09b7dc..4730eac0747 100644
--- a/arch/sparc/mm/highmem.c
+++ b/arch/sparc/mm/highmem.c
@@ -75,7 +75,7 @@ void __kunmap_atomic(void *kvaddr)
75 return; 75 return;
76 } 76 }
77 77
78 type = kmap_atomic_idx_pop(); 78 type = kmap_atomic_idx();
79 79
80#ifdef CONFIG_DEBUG_HIGHMEM 80#ifdef CONFIG_DEBUG_HIGHMEM
81 { 81 {
@@ -104,6 +104,8 @@ void __kunmap_atomic(void *kvaddr)
104#endif 104#endif
105 } 105 }
106#endif 106#endif
107
108 kmap_atomic_idx_pop();
107 pagefault_enable(); 109 pagefault_enable();
108} 110}
109EXPORT_SYMBOL(__kunmap_atomic); 111EXPORT_SYMBOL(__kunmap_atomic);
diff --git a/arch/tile/mm/highmem.c b/arch/tile/mm/highmem.c
index 8ef6595e162..abb57331cf6 100644
--- a/arch/tile/mm/highmem.c
+++ b/arch/tile/mm/highmem.c
@@ -241,7 +241,7 @@ void __kunmap_atomic(void *kvaddr)
241 pte_t pteval = *pte; 241 pte_t pteval = *pte;
242 int idx, type; 242 int idx, type;
243 243
244 type = kmap_atomic_idx_pop(); 244 type = kmap_atomic_idx();
245 idx = type + KM_TYPE_NR*smp_processor_id(); 245 idx = type + KM_TYPE_NR*smp_processor_id();
246 246
247 /* 247 /*
@@ -252,6 +252,7 @@ void __kunmap_atomic(void *kvaddr)
252 BUG_ON(!pte_present(pteval) && !pte_migrating(pteval)); 252 BUG_ON(!pte_present(pteval) && !pte_migrating(pteval));
253 kmap_atomic_unregister(pte_page(pteval), vaddr); 253 kmap_atomic_unregister(pte_page(pteval), vaddr);
254 kpte_clear_flush(pte, vaddr); 254 kpte_clear_flush(pte, vaddr);
255 kmap_atomic_idx_pop();
255 } else { 256 } else {
256 /* Must be a lowmem page */ 257 /* Must be a lowmem page */
257 BUG_ON(vaddr < PAGE_OFFSET); 258 BUG_ON(vaddr < PAGE_OFFSET);
diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
index d723e369003..b4996266210 100644
--- a/arch/x86/mm/highmem_32.c
+++ b/arch/x86/mm/highmem_32.c
@@ -74,7 +74,7 @@ void __kunmap_atomic(void *kvaddr)
74 vaddr <= __fix_to_virt(FIX_KMAP_BEGIN)) { 74 vaddr <= __fix_to_virt(FIX_KMAP_BEGIN)) {
75 int idx, type; 75 int idx, type;
76 76
77 type = kmap_atomic_idx_pop(); 77 type = kmap_atomic_idx();
78 idx = type + KM_TYPE_NR * smp_processor_id(); 78 idx = type + KM_TYPE_NR * smp_processor_id();
79 79
80#ifdef CONFIG_DEBUG_HIGHMEM 80#ifdef CONFIG_DEBUG_HIGHMEM
@@ -87,6 +87,7 @@ void __kunmap_atomic(void *kvaddr)
87 * attributes or becomes a protected page in a hypervisor. 87 * attributes or becomes a protected page in a hypervisor.
88 */ 88 */
89 kpte_clear_flush(kmap_pte-idx, vaddr); 89 kpte_clear_flush(kmap_pte-idx, vaddr);
90 kmap_atomic_idx_pop();
90 } 91 }
91#ifdef CONFIG_DEBUG_HIGHMEM 92#ifdef CONFIG_DEBUG_HIGHMEM
92 else { 93 else {
diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c
index 75a3d7f24a2..7b179b499fa 100644
--- a/arch/x86/mm/iomap_32.c
+++ b/arch/x86/mm/iomap_32.c
@@ -98,7 +98,7 @@ iounmap_atomic(void __iomem *kvaddr)
98 vaddr <= __fix_to_virt(FIX_KMAP_BEGIN)) { 98 vaddr <= __fix_to_virt(FIX_KMAP_BEGIN)) {
99 int idx, type; 99 int idx, type;
100 100
101 type = kmap_atomic_idx_pop(); 101 type = kmap_atomic_idx();
102 idx = type + KM_TYPE_NR * smp_processor_id(); 102 idx = type + KM_TYPE_NR * smp_processor_id();
103 103
104#ifdef CONFIG_DEBUG_HIGHMEM 104#ifdef CONFIG_DEBUG_HIGHMEM
@@ -111,6 +111,7 @@ iounmap_atomic(void __iomem *kvaddr)
111 * attributes or becomes a protected page in a hypervisor. 111 * attributes or becomes a protected page in a hypervisor.
112 */ 112 */
113 kpte_clear_flush(kmap_pte-idx, vaddr); 113 kpte_clear_flush(kmap_pte-idx, vaddr);
114 kmap_atomic_idx_pop();
114 } 115 }
115 116
116 pagefault_enable(); 117 pagefault_enable();
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-09 02:42:26 -0500