diff options
author | Dmitry Adamushko <dmitry.adamushko@gmail.com> | 2008-07-10 16:21:58 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-07-10 18:18:50 -0400 |
commit | bdb21928512a860a60e6a24a849dc5b63cbaf96a (patch) | |
tree | 440a0e418d9eeb8480b26b1e7e47bbff01b4c3de | |
parent | 96a8e13ed44e380fc2bb6c711d74d5ba698c00b2 (diff) |
slub: Fix use-after-preempt of per-CPU data structure
Vegard Nossum reported a crash in kmem_cache_alloc():
BUG: unable to handle kernel paging request at da87d000
IP: [<c01991c7>] kmem_cache_alloc+0xc7/0xe0
*pde = 28180163 *pte = 1a87d160
Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Pid: 3850, comm: grep Not tainted (2.6.26-rc9-00059-gb190333 #5)
EIP: 0060:[<c01991c7>] EFLAGS: 00210203 CPU: 0
EIP is at kmem_cache_alloc+0xc7/0xe0
EAX: 00000000 EBX: da87c100 ECX: 1adad71a EDX: 6b6b6b6b
ESI: 00200282 EDI: da87d000 EBP: f60bfe74 ESP: f60bfe54
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
and analyzed it:
"The register %ecx looks innocent but is very important here. The disassembly:
mov %edx,%ecx
shr $0x2,%ecx
rep stos %eax,%es:(%edi) <-- the fault
So %ecx has been loaded from %edx... which is 0x6b6b6b6b/POISON_FREE.
(0x6b6b6b6b >> 2 == 0x1adadada.)
%ecx is the counter for the memset, from here:
memset(object, 0, c->objsize);
i.e. %ecx was loaded from c->objsize, so "c" must have been freed.
Where did "c" come from? Uh-oh...
c = get_cpu_slab(s, smp_processor_id());
This looks like it has very much to do with CPU hotplug/unplug. Is
there a race between SLUB/hotplug since the CPU slab is used after it
has been freed?"
Good analysis.
Yeah, it's possible that a caller of kmem_cache_alloc() -> slab_alloc()
can be migrated on another CPU right after local_irq_restore() and
before memset(). The inital cpu can become offline in the mean time (or
a migration is a consequence of the CPU going offline) so its
'kmem_cache_cpu' structure gets freed ( slab_cpuup_callback).
At some point of time the caller continues on another CPU having an
obsolete pointer...
Signed-off-by: Dmitry Adamushko <dmitry.adamushko@gmail.com>
Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | mm/slub.c | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -1628,9 +1628,11 @@ static __always_inline void *slab_alloc(struct kmem_cache *s, | |||
1628 | void **object; | 1628 | void **object; |
1629 | struct kmem_cache_cpu *c; | 1629 | struct kmem_cache_cpu *c; |
1630 | unsigned long flags; | 1630 | unsigned long flags; |
1631 | unsigned int objsize; | ||
1631 | 1632 | ||
1632 | local_irq_save(flags); | 1633 | local_irq_save(flags); |
1633 | c = get_cpu_slab(s, smp_processor_id()); | 1634 | c = get_cpu_slab(s, smp_processor_id()); |
1635 | objsize = c->objsize; | ||
1634 | if (unlikely(!c->freelist || !node_match(c, node))) | 1636 | if (unlikely(!c->freelist || !node_match(c, node))) |
1635 | 1637 | ||
1636 | object = __slab_alloc(s, gfpflags, node, addr, c); | 1638 | object = __slab_alloc(s, gfpflags, node, addr, c); |
@@ -1643,7 +1645,7 @@ static __always_inline void *slab_alloc(struct kmem_cache *s, | |||
1643 | local_irq_restore(flags); | 1645 | local_irq_restore(flags); |
1644 | 1646 | ||
1645 | if (unlikely((gfpflags & __GFP_ZERO) && object)) | 1647 | if (unlikely((gfpflags & __GFP_ZERO) && object)) |
1646 | memset(object, 0, c->objsize); | 1648 | memset(object, 0, objsize); |
1647 | 1649 | ||
1648 | return object; | 1650 | return object; |
1649 | } | 1651 | } |