aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStuart Bennett <stuart@freedesktop.org>2009-03-08 14:21:35 -0400
committerIngo Molnar <mingo@elte.hu>2009-03-08 14:51:23 -0400
commitd0fc63f7bd07cb779a06dc1cdd0c5a14e7f5d562 (patch)
tree9d4dd9976bbc20709d6f8e0242537f76141bdc7d
parent73bf1b62f561fc8ecb00e2810efe4fe769f4933e (diff)
x86 mmiotrace: fix remove_kmmio_fault_pages()
Impact: fix race+crash in mmiotrace The list manipulation in remove_kmmio_fault_pages() was broken. If more than one consecutive kmmio_fault_page was re-added during the grace period between unregister_kmmio_probe() and remove_kmmio_fault_pages(), the list manipulation failed to remove pages from the release list. After a second grace period the pages get into rcu_free_kmmio_fault_pages() and raise a BUG_ON() kernel crash. The list manipulation is fixed to properly remove pages from the release list. This bug has been present from the very beginning of mmiotrace in the mainline kernel. It was introduced in 0fd0e3da ("x86: mmiotrace full patch, preview 1"); An urgent fix for Linus. Tested by Stuart (on 32-bit) and Pekka (on amd and intel 64-bit systems, nouveau and nvidia proprietary). Signed-off-by: Stuart Bennett <stuart@freedesktop.org> Signed-off-by: Pekka Paalanen <pq@iki.fi> LKML-Reference: <20090308202135.34933feb@daedalus.pq.iki.fi> Signed-off-by: Ingo Molnar <mingo@elte.hu>
-rw-r--r--arch/x86/mm/kmmio.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/arch/x86/mm/kmmio.c b/arch/x86/mm/kmmio.c
index 9f205030d9aa..6a518dd08a36 100644
--- a/arch/x86/mm/kmmio.c
+++ b/arch/x86/mm/kmmio.c
@@ -451,23 +451,24 @@ static void rcu_free_kmmio_fault_pages(struct rcu_head *head)
451 451
452static void remove_kmmio_fault_pages(struct rcu_head *head) 452static void remove_kmmio_fault_pages(struct rcu_head *head)
453{ 453{
454 struct kmmio_delayed_release *dr = container_of( 454 struct kmmio_delayed_release *dr =
455 head, 455 container_of(head, struct kmmio_delayed_release, rcu);
456 struct kmmio_delayed_release,
457 rcu);
458 struct kmmio_fault_page *p = dr->release_list; 456 struct kmmio_fault_page *p = dr->release_list;
459 struct kmmio_fault_page **prevp = &dr->release_list; 457 struct kmmio_fault_page **prevp = &dr->release_list;
460 unsigned long flags; 458 unsigned long flags;
459
461 spin_lock_irqsave(&kmmio_lock, flags); 460 spin_lock_irqsave(&kmmio_lock, flags);
462 while (p) { 461 while (p) {
463 if (!p->count) 462 if (!p->count) {
464 list_del_rcu(&p->list); 463 list_del_rcu(&p->list);
465 else 464 prevp = &p->release_next;
465 } else {
466 *prevp = p->release_next; 466 *prevp = p->release_next;
467 prevp = &p->release_next; 467 }
468 p = p->release_next; 468 p = p->release_next;
469 } 469 }
470 spin_unlock_irqrestore(&kmmio_lock, flags); 470 spin_unlock_irqrestore(&kmmio_lock, flags);
471
471 /* This is the real RCU destroy call. */ 472 /* This is the real RCU destroy call. */
472 call_rcu(&dr->rcu, rcu_free_kmmio_fault_pages); 473 call_rcu(&dr->rcu, rcu_free_kmmio_fault_pages);
473} 474}