diff options
| author | Dave Hansen <dave.hansen@linux.intel.com> | 2014-01-30 18:46:09 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-01-30 19:56:56 -0500 |
| commit | a03208652dad18232e9ec3432df69f9c19c856ec (patch) | |
| tree | e11b60229136b2a62dc0683e3a684d105cd6defc /mm | |
| parent | 8790c71a18e5d2d93532ae250bcf5eddbba729cd (diff) | |
mm/slub.c: fix page->_count corruption (again)
Commit abca7c496584 ("mm: fix slab->page _count corruption when using
slub") notes that we can not _set_ a page->counters directly, except
when using a real double-cmpxchg. Doing so can lose updates to
->_count.
That is an absolute rule:
You may not *set* page->counters except via a cmpxchg.
Commit abca7c496584 fixed this for the folks who have the slub
cmpxchg_double code turned off at compile time, but it left the bad case
alone. It can still be reached, and the same bug triggered in two
cases:
1. Turning on slub debugging at runtime, which is available on
the distro kernels that I looked at.
2. On 64-bit CPUs with no CMPXCHG16B (some early AMD x86-64
cpus, evidently)
There are at least 3 ways we could fix this:
1. Take all of the exising calls to cmpxchg_double_slab() and
__cmpxchg_double_slab() and convert them to take an old, new
and target 'struct page'.
2. Do (1), but with the newly-introduced 'slub_data'.
3. Do some magic inside the two cmpxchg...slab() functions to
pull the counters out of new_counters and only set those
fields in page->{inuse,frozen,objects}.
I've done (2) as well, but it's a bunch more code. This patch is an
attempt at (3). This was the most straightforward and foolproof way
that I could think to do this.
This would also technically allow us to get rid of the ugly
#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
in 'struct page', but leaving it alone has the added benefit that
'counters' stays 'unsigned' instead of 'unsigned long', so all the
copies that the slub code does stay a bit smaller.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Christoph Lameter <cl@linux-foundation.org>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Matt Mackall <mpm@selenic.com>
Cc: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
| -rw-r--r-- | mm/slub.c | 19 |
1 files changed, 17 insertions, 2 deletions
| @@ -355,6 +355,21 @@ static __always_inline void slab_unlock(struct page *page) | |||
| 355 | __bit_spin_unlock(PG_locked, &page->flags); | 355 | __bit_spin_unlock(PG_locked, &page->flags); |
| 356 | } | 356 | } |
| 357 | 357 | ||
| 358 | static inline void set_page_slub_counters(struct page *page, unsigned long counters_new) | ||
| 359 | { | ||
| 360 | struct page tmp; | ||
| 361 | tmp.counters = counters_new; | ||
| 362 | /* | ||
| 363 | * page->counters can cover frozen/inuse/objects as well | ||
| 364 | * as page->_count. If we assign to ->counters directly | ||
| 365 | * we run the risk of losing updates to page->_count, so | ||
| 366 | * be careful and only assign to the fields we need. | ||
| 367 | */ | ||
| 368 | page->frozen = tmp.frozen; | ||
| 369 | page->inuse = tmp.inuse; | ||
| 370 | page->objects = tmp.objects; | ||
| 371 | } | ||
| 372 | |||
| 358 | /* Interrupts must be disabled (for the fallback code to work right) */ | 373 | /* Interrupts must be disabled (for the fallback code to work right) */ |
| 359 | static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page, | 374 | static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page, |
| 360 | void *freelist_old, unsigned long counters_old, | 375 | void *freelist_old, unsigned long counters_old, |
| @@ -376,7 +391,7 @@ static inline bool __cmpxchg_double_slab(struct kmem_cache *s, struct page *page | |||
| 376 | if (page->freelist == freelist_old && | 391 | if (page->freelist == freelist_old && |
| 377 | page->counters == counters_old) { | 392 | page->counters == counters_old) { |
| 378 | page->freelist = freelist_new; | 393 | page->freelist = freelist_new; |
| 379 | page->counters = counters_new; | 394 | set_page_slub_counters(page, counters_new); |
| 380 | slab_unlock(page); | 395 | slab_unlock(page); |
| 381 | return 1; | 396 | return 1; |
| 382 | } | 397 | } |
| @@ -415,7 +430,7 @@ static inline bool cmpxchg_double_slab(struct kmem_cache *s, struct page *page, | |||
| 415 | if (page->freelist == freelist_old && | 430 | if (page->freelist == freelist_old && |
| 416 | page->counters == counters_old) { | 431 | page->counters == counters_old) { |
| 417 | page->freelist = freelist_new; | 432 | page->freelist = freelist_new; |
| 418 | page->counters = counters_new; | 433 | set_page_slub_counters(page, counters_new); |
| 419 | slab_unlock(page); | 434 | slab_unlock(page); |
| 420 | local_irq_restore(flags); | 435 | local_irq_restore(flags); |
| 421 | return 1; | 436 | return 1; |