[patch 1/2] mm: memcontrol: fix lockless reclaim hierarchy iterator

From: Johannes Weiner
Date: Wed Jun 05 2013 - 18:54:25 EST

Next message: Stephen Warren: "Re: [Arm-netbook] getting allwinner SoC support upstream (was Re:Uploading linux (3.9.4-1))"
Previous message: Johannes Weiner: "[patch 2/2] mm: memcontrol: factor out reclaim iterator loading and updating"
Next in thread: Johannes Weiner: "[patch 2/2] mm: memcontrol: factor out reclaim iterator loading and updating"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The lockless reclaim hierarchy iterator currently has a misplaced
barrier that can lead to use-after-free crashes.

The reclaim hierarchy iterator consist of a sequence count and a
position pointer that are read and written locklessly, with memory
barriers enforcing ordering.

The write side sets the position pointer first, then updates the
sequence count to "publish" the new position. Likewise, the read side
must read the sequence count first, then the position. If the
sequence count is up to date, it's guaranteed that the position is up
to date as well:

writer: reader:
iter->position = position if iter->sequence == expected:
smp_wmb() smp_rmb()
iter->sequence = sequence position = iter->position

However, the read side barrier is currently misplaced, which can lead
to dereferencing stale position pointers that no longer point to valid
memory. Fix this.

Reported-by: Tejun Heo <tj@xxxxxxxxxx>
Signed-off-by: Johannes Weiner <hannes@xxxxxxxxxxx>
Cc: stable@xxxxxxxxxx [3.10+]
---
mm/memcontrol.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 010d6c1..e2cbb44 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -1199,7 +1199,6 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,

mz = mem_cgroup_zoneinfo(root, nid, zid);
iter = &mz->reclaim_iter[reclaim->priority];
- last_visited = iter->last_visited;
if (prev && reclaim->generation != iter->generation) {
iter->last_visited = NULL;
goto out_unlock;
@@ -1218,13 +1217,12 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root,
* is alive.
*/
dead_count = atomic_read(&root->dead_count);
- smp_rmb();
- last_visited = iter->last_visited;
- if (last_visited) {
- if ((dead_count != iter->last_dead_count) ||
- !css_tryget(&last_visited->css)) {
+ if (dead_count == iter->last_dead_count) {
+ smp_rmb();
+ last_visited = iter->last_visited;
+ if (last_visited &&
+ !css_tryget(&last_visited->css))
last_visited = NULL;
- }
}
}

--
1.8.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Warren: "Re: [Arm-netbook] getting allwinner SoC support upstream (was Re:Uploading linux (3.9.4-1))"
Previous message: Johannes Weiner: "[patch 2/2] mm: memcontrol: factor out reclaim iterator loading and updating"
Next in thread: Johannes Weiner: "[patch 2/2] mm: memcontrol: factor out reclaim iterator loading and updating"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]