mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-19 04:37:57 +07:00
1d798ca3f1
Hugh has pointed that compound_head() call can be unsafe in some
context. There's one example:
CPU0 CPU1
isolate_migratepages_block()
page_count()
compound_head()
!!PageTail() == true
put_page()
tail->first_page = NULL
head = tail->first_page
alloc_pages(__GFP_COMP)
prep_compound_page()
tail->first_page = head
__SetPageTail(p);
!!PageTail() == true
<head == NULL dereferencing>
The race is pure theoretical. I don't it's possible to trigger it in
practice. But who knows.
We can fix the race by changing how encode PageTail() and compound_head()
within struct page to be able to update them in one shot.
The patch introduces page->compound_head into third double word block in
front of compound_dtor and compound_order. Bit 0 encodes PageTail() and
the rest bits are pointer to head page if bit zero is set.
The patch moves page->pmd_huge_pte out of word, just in case if an
architecture defines pgtable_t into something what can have the bit 0
set.
hugetlb_cgroup uses page->lru.next in the second tail page to store
pointer struct hugetlb_cgroup. The patch switch it to use page->private
in the second tail page instead. The space is free since ->first_page is
removed from the union.
The patch also opens possibility to remove HUGETLB_CGROUP_MIN_ORDER
limitation, since there's now space in first tail page to store struct
hugetlb_cgroup pointer. But that's out of scope of the patch.
That means page->compound_head shares storage space with:
- page->lru.next;
- page->next;
- page->rcu_head.next;
That's too long list to be absolutely sure, but looks like nobody uses
bit 0 of the word.
page->rcu_head.next guaranteed[1] to have bit 0 clean as long as we use
call_rcu(), call_rcu_bh(), call_rcu_sched(), or call_srcu(). But future
call_rcu_lazy() is not allowed as it makes use of the bit and we can
get false positive PageTail().
[1] http://lkml.kernel.org/g/20150827163634.GD4029@linux.vnet.ibm.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||
|---|---|---|
| .. | ||
| ABI | ||
| accounting | ||
| acpi | ||
| aoe | ||
| arm | ||
| arm64 | ||
| auxdisplay | ||
| backlight | ||
| blackfin | ||
| block | ||
| blockdev | ||
| bus-devices | ||
| cdrom | ||
| cgroups | ||
| cma | ||
| connector | ||
| console | ||
| cpu-freq | ||
| cpuidle | ||
| cris | ||
| crypto | ||
| development-process | ||
| device-mapper | ||
| devicetree | ||
| dmaengine | ||
| DocBook | ||
| driver-model | ||
| dvb | ||
| early-userspace | ||
| EDID | ||
| extcon | ||
| fault-injection | ||
| fb | ||
| features | ||
| filesystems | ||
| firmware_class | ||
| fmc | ||
| fpga | ||
| frv | ||
| gpio | ||
| hid | ||
| hwmon | ||
| i2c | ||
| ia64 | ||
| ide | ||
| infiniband | ||
| input | ||
| ioctl | ||
| isdn | ||
| ja_JP | ||
| kbuild | ||
| kdump | ||
| ko_KR | ||
| laptops | ||
| leds | ||
| locking | ||
| m68k | ||
| memory-devices | ||
| metag | ||
| mic | ||
| mips | ||
| misc-devices | ||
| mmc | ||
| mn10300 | ||
| mtd | ||
| namespaces | ||
| netlabel | ||
| networking | ||
| nfc | ||
| nios2 | ||
| nvdimm | ||
| nvmem | ||
| parisc | ||
| PCI | ||
| pcmcia | ||
| phy | ||
| platform | ||
| power | ||
| powerpc | ||
| pps | ||
| prctl | ||
| pti | ||
| ptp | ||
| rapidio | ||
| RCU | ||
| s390 | ||
| scheduler | ||
| scsi | ||
| security | ||
| serial | ||
| sh | ||
| sound | ||
| spi | ||
| sysctl | ||
| target | ||
| thermal | ||
| timers | ||
| tpm | ||
| trace | ||
| usb | ||
| vDSO | ||
| video4linux | ||
| virtual | ||
| vm | ||
| w1 | ||
| watchdog | ||
| wimax | ||
| x86 | ||
| xtensa | ||
| zh_CN | ||
| 00-INDEX | ||
| adding-syscalls.txt | ||
| applying-patches.txt | ||
| assoc_array.txt | ||
| atomic_ops.txt | ||
| bad_memory.txt | ||
| basic_profiling.txt | ||
| bcache.txt | ||
| binfmt_misc.txt | ||
| braille-console.txt | ||
| bt8xxgpio.txt | ||
| btmrvl.txt | ||
| BUG-HUNTING | ||
| bus-virt-phys-mapping.txt | ||
| cachetlb.txt | ||
| Changes | ||
| circular-buffers.txt | ||
| clk.txt | ||
| coccinelle.txt | ||
| CodeOfConflict | ||
| CodingStyle | ||
| cpu-hotplug.txt | ||
| cpu-load.txt | ||
| cputopology.txt | ||
| crc32.txt | ||
| dcdbas.txt | ||
| debugging-modules.txt | ||
| debugging-via-ohci1394.txt | ||
| dell_rbu.txt | ||
| devices.txt | ||
| digsig.txt | ||
| DMA-API-HOWTO.txt | ||
| DMA-API.txt | ||
| DMA-attributes.txt | ||
| dma-buf-sharing.txt | ||
| DMA-ISA-LPC.txt | ||
| dontdiff | ||
| dynamic-debug-howto.txt | ||
| edac.txt | ||
| efi-stub.txt | ||
| eisa.txt | ||
| email-clients.txt | ||
| flexible-arrays.txt | ||
| futex-requeue-pi.txt | ||
| gcov.txt | ||
| gdb-kernel-debugging.txt | ||
| highuid.txt | ||
| HOWTO | ||
| hsi.txt | ||
| hw_random.txt | ||
| hwspinlock.txt | ||
| init.txt | ||
| initrd.txt | ||
| intel_txt.txt | ||
| Intel-IOMMU.txt | ||
| io_ordering.txt | ||
| io-mapping.txt | ||
| iostats.txt | ||
| IPMI.txt | ||
| IRQ-affinity.txt | ||
| IRQ-domain.txt | ||
| IRQ.txt | ||
| irqflags-tracing.txt | ||
| isapnp.txt | ||
| java.txt | ||
| kasan.txt | ||
| kernel-doc-nano-HOWTO.txt | ||
| kernel-docs.txt | ||
| kernel-parameters.txt | ||
| kernel-per-CPU-kthreads.txt | ||
| kmemcheck.txt | ||
| kmemleak.txt | ||
| kobject.txt | ||
| kprobes.txt | ||
| kref.txt | ||
| kselftest.txt | ||
| ldm.txt | ||
| local_ops.txt | ||
| lockup-watchdogs.txt | ||
| logo.gif | ||
| logo.txt | ||
| lzo.txt | ||
| magic-number.txt | ||
| mailbox.txt | ||
| Makefile | ||
| ManagementStyle | ||
| md-cluster.txt | ||
| md.txt | ||
| media-framework.txt | ||
| memory-barriers.txt | ||
| memory-hotplug.txt | ||
| men-chameleon-bus.txt | ||
| module-signing.txt | ||
| mono.txt | ||
| nommu-mmap.txt | ||
| ntb.txt | ||
| numastat.txt | ||
| oops-tracing.txt | ||
| padata.txt | ||
| parport-lowlevel.txt | ||
| parport.txt | ||
| percpu-rw-semaphore.txt | ||
| phy.txt | ||
| pi-futex.txt | ||
| pinctrl.txt | ||
| pnp.txt | ||
| preempt-locking.txt | ||
| printk-formats.txt | ||
| pwm.txt | ||
| ramoops.txt | ||
| rbtree.txt | ||
| remoteproc.txt | ||
| rfkill.txt | ||
| robust-futex-ABI.txt | ||
| robust-futexes.txt | ||
| rpmsg.txt | ||
| rtc.txt | ||
| SAK.txt | ||
| SecurityBugs | ||
| serial-console.txt | ||
| sgi-ioc4.txt | ||
| SM501.txt | ||
| smsc_ece1099.txt | ||
| sparse.txt | ||
| stable_api_nonsense.txt | ||
| stable_kernel_rules.txt | ||
| static-keys.txt | ||
| SubmitChecklist | ||
| SubmittingDrivers | ||
| SubmittingPatches | ||
| svga.txt | ||
| sysfs-rules.txt | ||
| sysrq.txt | ||
| this_cpu_ops.txt | ||
| unaligned-memory-access.txt | ||
| unicode.txt | ||
| unshare.txt | ||
| vfio.txt | ||
| VGA-softcursor.txt | ||
| vgaarbiter.txt | ||
| video-output.txt | ||
| vme_api.txt | ||
| volatile-considered-harmful.txt | ||
| workqueue.txt | ||
| xillybus.txt | ||
| xz.txt | ||
| zorro.txt | ||
