aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTony Battersby <tonyb@cybernetics.com>2009-02-04 18:12:04 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2009-02-05 15:56:47 -0500
commita68e61e8ff2d46327a37b69056998b47745db6fa (patch)
tree2445097933785b26d91577e6f4b41329e8bcd639
parent1f5e31d7e55ac7fbd4ec5e5b20c8868b0e4564c9 (diff)
shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM
shm_get_stat() assumes that the inode is a "struct shmem_inode_info", which is incorrect for !CONFIG_SHMEM (see fs/ramfs/inode.c: ramfs_get_inode() vs. mm/shmem.c: shmem_get_inode()). This bad assumption can cause shmctl(SHM_INFO) to lockup when shm_get_stat() tries to spin_lock(&info->lock). Users of !CONFIG_SHMEM may encounter this lockup simply by invoking the 'ipcs' command. Reported by Jiri Olsa back in February 2008: http://lkml.org/lkml/2008/2/29/74 Signed-off-by: Tony Battersby <tonyb@cybernetics.com> Cc: Jiri Kosina <jkosina@suse.cz> Reported-by: Jiri Olsa <olsajiri@gmail.com> Cc: Hugh Dickins <hugh@veritas.com> Cc: <stable@kernel.org> [2.6.everything] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--ipc/shm.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/ipc/shm.c b/ipc/shm.c
index c0a021f7f41a..f8f69fad3a27 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -565,11 +565,15 @@ static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss,
565 struct hstate *h = hstate_file(shp->shm_file); 565 struct hstate *h = hstate_file(shp->shm_file);
566 *rss += pages_per_huge_page(h) * mapping->nrpages; 566 *rss += pages_per_huge_page(h) * mapping->nrpages;
567 } else { 567 } else {
568#ifdef CONFIG_SHMEM
568 struct shmem_inode_info *info = SHMEM_I(inode); 569 struct shmem_inode_info *info = SHMEM_I(inode);
569 spin_lock(&info->lock); 570 spin_lock(&info->lock);
570 *rss += inode->i_mapping->nrpages; 571 *rss += inode->i_mapping->nrpages;
571 *swp += info->swapped; 572 *swp += info->swapped;
572 spin_unlock(&info->lock); 573 spin_unlock(&info->lock);
574#else
575 *rss += inode->i_mapping->nrpages;
576#endif
573 } 577 }
574 578
575 total++; 579 total++;