aboutsummaryrefslogtreecommitdiffstats
path: root/mm
diff options
context:
space:
mode:
authorDmitry Adamushko <dmitry.adamushko@gmail.com>2008-07-10 16:21:58 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-07-10 18:18:50 -0400
commitbdb21928512a860a60e6a24a849dc5b63cbaf96a (patch)
tree440a0e418d9eeb8480b26b1e7e47bbff01b4c3de /mm
parent96a8e13ed44e380fc2bb6c711d74d5ba698c00b2 (diff)
slub: Fix use-after-preempt of per-CPU data structure
Vegard Nossum reported a crash in kmem_cache_alloc(): BUG: unable to handle kernel paging request at da87d000 IP: [<c01991c7>] kmem_cache_alloc+0xc7/0xe0 *pde = 28180163 *pte = 1a87d160 Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC Pid: 3850, comm: grep Not tainted (2.6.26-rc9-00059-gb190333 #5) EIP: 0060:[<c01991c7>] EFLAGS: 00210203 CPU: 0 EIP is at kmem_cache_alloc+0xc7/0xe0 EAX: 00000000 EBX: da87c100 ECX: 1adad71a EDX: 6b6b6b6b ESI: 00200282 EDI: da87d000 EBP: f60bfe74 ESP: f60bfe54 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 and analyzed it: "The register %ecx looks innocent but is very important here. The disassembly: mov %edx,%ecx shr $0x2,%ecx rep stos %eax,%es:(%edi) <-- the fault So %ecx has been loaded from %edx... which is 0x6b6b6b6b/POISON_FREE. (0x6b6b6b6b >> 2 == 0x1adadada.) %ecx is the counter for the memset, from here: memset(object, 0, c->objsize); i.e. %ecx was loaded from c->objsize, so "c" must have been freed. Where did "c" come from? Uh-oh... c = get_cpu_slab(s, smp_processor_id()); This looks like it has very much to do with CPU hotplug/unplug. Is there a race between SLUB/hotplug since the CPU slab is used after it has been freed?" Good analysis. Yeah, it's possible that a caller of kmem_cache_alloc() -> slab_alloc() can be migrated on another CPU right after local_irq_restore() and before memset(). The inital cpu can become offline in the mean time (or a migration is a consequence of the CPU going offline) so its 'kmem_cache_cpu' structure gets freed ( slab_cpuup_callback). At some point of time the caller continues on another CPU having an obsolete pointer... Signed-off-by: Dmitry Adamushko <dmitry.adamushko@gmail.com> Reported-by: Vegard Nossum <vegard.nossum@gmail.com> Acked-by: Ingo Molnar <mingo@elte.hu> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
-rw-r--r--mm/slub.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/mm/slub.c b/mm/slub.c
index 1a427c0ae83b..315c392253c7 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1628,9 +1628,11 @@ static __always_inline void *slab_alloc(struct kmem_cache *s,
1628 void **object; 1628 void **object;
1629 struct kmem_cache_cpu *c; 1629 struct kmem_cache_cpu *c;
1630 unsigned long flags; 1630 unsigned long flags;
1631 unsigned int objsize;
1631 1632
1632 local_irq_save(flags); 1633 local_irq_save(flags);
1633 c = get_cpu_slab(s, smp_processor_id()); 1634 c = get_cpu_slab(s, smp_processor_id());
1635 objsize = c->objsize;
1634 if (unlikely(!c->freelist || !node_match(c, node))) 1636 if (unlikely(!c->freelist || !node_match(c, node)))
1635 1637
1636 object = __slab_alloc(s, gfpflags, node, addr, c); 1638 object = __slab_alloc(s, gfpflags, node, addr, c);
@@ -1643,7 +1645,7 @@ static __always_inline void *slab_alloc(struct kmem_cache *s,
1643 local_irq_restore(flags); 1645 local_irq_restore(flags);
1644 1646
1645 if (unlikely((gfpflags & __GFP_ZERO) && object)) 1647 if (unlikely((gfpflags & __GFP_ZERO) && object))
1646 memset(object, 0, c->objsize); 1648 memset(object, 0, objsize);
1647 1649
1648 return object; 1650 return object;
1649} 1651}