diff options
| author | Andrew Morton <akpm@linux-foundation.org> | 2009-01-15 16:51:21 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-01-15 19:39:40 -0500 |
| commit | 5b019e99016f3a692ba45bf68fba73a402d7c01a (patch) | |
| tree | a419c318c550dd2edaa03185477e162e0c7d8e77 | |
| parent | 5da7f3d71e243ef5c464967581414d29c72bab75 (diff) | |
lib/idr.c: use kmem_cache_zalloc() for the idr_layer cache
David points out that the idr_remove_all() function returns unused slabs
to the kmem cache, but needs to zero them first or else they will be
uninitialized upon next use. This causes crashes which have been observed
in the firewire subsystem.
He fixed this by zeroing the object before freeing it in idr_remove_all().
But we agree that simply removing the constructor and zeroing the object
at allocation time is simpler than relying upon slab constructor machinery
and might even be faster.
This problem was introduced by "idr: make idr_remove rcu-safe" (commit
cf481c20c476ad2c0febdace9ce23f5a4db19582), which was first released in
2.6.27.
There are no known codesites which trigger this bug in 2.6.27 or 2.6.28.
The post-2.6.28 firewire changes are the only known triggerer.
There might of course be not-yet-discovered triggerers in 2.6.27 and
2.6.28, and there might be out-of-tree triggerers which are added to those
kernel versions. I'll let the -stable guys decide whether they want to
backport this fix.
Reported-by: David Moore <dcm@acm.org>
Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: Nadia Derbey <Nadia.Derbey@bull.net>
Cc: Paul E. McKenney <paulmck@us.ibm.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Kristian Hgsberg <krh@redhat.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | lib/idr.c | 10 |
1 files changed, 2 insertions, 8 deletions
| @@ -121,7 +121,7 @@ int idr_pre_get(struct idr *idp, gfp_t gfp_mask) | |||
| 121 | { | 121 | { |
| 122 | while (idp->id_free_cnt < IDR_FREE_MAX) { | 122 | while (idp->id_free_cnt < IDR_FREE_MAX) { |
| 123 | struct idr_layer *new; | 123 | struct idr_layer *new; |
| 124 | new = kmem_cache_alloc(idr_layer_cache, gfp_mask); | 124 | new = kmem_cache_zalloc(idr_layer_cache, gfp_mask); |
| 125 | if (new == NULL) | 125 | if (new == NULL) |
| 126 | return (0); | 126 | return (0); |
| 127 | move_to_free_list(idp, new); | 127 | move_to_free_list(idp, new); |
| @@ -623,16 +623,10 @@ void *idr_replace(struct idr *idp, void *ptr, int id) | |||
| 623 | } | 623 | } |
| 624 | EXPORT_SYMBOL(idr_replace); | 624 | EXPORT_SYMBOL(idr_replace); |
| 625 | 625 | ||
| 626 | static void idr_cache_ctor(void *idr_layer) | ||
| 627 | { | ||
| 628 | memset(idr_layer, 0, sizeof(struct idr_layer)); | ||
| 629 | } | ||
| 630 | |||
| 631 | void __init idr_init_cache(void) | 626 | void __init idr_init_cache(void) |
| 632 | { | 627 | { |
| 633 | idr_layer_cache = kmem_cache_create("idr_layer_cache", | 628 | idr_layer_cache = kmem_cache_create("idr_layer_cache", |
| 634 | sizeof(struct idr_layer), 0, SLAB_PANIC, | 629 | sizeof(struct idr_layer), 0, SLAB_PANIC, NULL); |
| 635 | idr_cache_ctor); | ||
| 636 | } | 630 | } |
| 637 | 631 | ||
| 638 | /** | 632 | /** |