Home » Mailing list archives » linux-kernel » 2007 » November » 2

[patch 7/9] x86: fix global_flush_tlb() bug

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Greg KH <gregkh@...>
To: <linux-kernel@...>, <stable@...>
Cc: Justin Forbes <jmforbes@...>, Zwane Mwaikambo <zwane@...>, Theodore Ts'o <tytso@...>, Randy Dunlap <rdunlap@...>, Dave Jones <davej@...>, Chuck Wolber <chuckw@...>, Chris Wedgwood <reviews@...>, Michael Krufky <mkrufky@...>, Chuck Ebbert <cebbert@...>, Domenico Andreoli <cavokz@...>, <torvalds@...>, <akpm@...>, <alan@...>, Ingo Molnar <mingo@...>, Thomas Gleixner <tglx@...>, Andi Kleen <ak@...>
Subject: [patch 7/9] x86: fix global_flush_tlb() bug
Date: Friday, November 2, 2007 - 1:38 pm

2.6.22-stable review patch.  If anyone has any objections, please let us
know.

------------------
From: Ingo Molnar <mingo@elte.hu>

patch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream

While we were reviewing pageattr_32/64.c for unification,
Thomas Gleixner noticed the following serious SMP bug in
global_flush_tlb():

	down_read(&init_mm.mmap_sem);
	list_replace_init(&deferred_pages, &l);
	up_read(&init_mm.mmap_sem);

this is SMP-unsafe because list_replace_init() done on two CPUs in
parallel can corrupt the list.

This bug has been introduced about a year ago in the 64-bit tree:

       commit ea7322decb974a4a3e804f96a0201e893ff88ce3
       Author: Andi Kleen <ak@suse.de>
       Date:   Thu Dec 7 02:14:05 2006 +0100

       [PATCH] x86-64: Speed and clean up cache flushing in change_page_attr

                down_read(&init_mm.mmap_sem);
        -       dpage = xchg(&deferred_pages, NULL);
        +       list_replace_init(&deferred_pages, &l);
                up_read(&init_mm.mmap_sem);

the xchg() based version was SMP-safe, but list_replace_init() is not.
So this "cleanup" introduced a nasty bug.

why this bug never become prominent is a mystery - it can probably be
explained with the (still) relative obscurity of the x86_64 architecture.

the safe fix for now is to write-lock init_mm.mmap_sem.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andi Kleen <ak@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 arch/x86_64/mm/pageattr.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/arch/x86_64/mm/pageattr.c
+++ b/arch/x86_64/mm/pageattr.c
@@ -227,9 +227,14 @@ void global_flush_tlb(void)
 	struct page *pg, *next;
 	struct list_head l;
 
-	down_read(&init_mm.mmap_sem);
+	/*
+	 * Write-protect the semaphore, to exclude two contexts
+	 * doing a list_replace_init() call in parallel and to
+	 * exclude new additions to the deferred_pages list:
+	 */
+	down_write(&init_mm.mmap_sem);
 	list_replace_init(&deferred_pages, &l);
-	up_read(&init_mm.mmap_sem);
+	up_write(&init_mm.mmap_sem);
 
 	flush_map(&l);
 

-- 
-
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[patch 0/9] 2.6.22-stable review, Greg KH, (Fri Nov 2, 1:37 pm)
Re: [patch 0/9] 2.6.22-stable review, Greg KH, (Fri Nov 2, 1:41 pm)
[patch 9/9] Revert "x86_64: allocate sparsemem memmap above ..., Greg KH, (Fri Nov 2, 1:38 pm)
[patch 8/9] dm snapshot: fix invalidation deadlock, Greg KH, (Fri Nov 2, 1:38 pm)
[patch 7/9] x86: fix global_flush_tlb() bug, Greg KH, (Fri Nov 2, 1:38 pm)
[patch 6/9] param_sysfs_builtin memchr argument fix, Greg KH, (Fri Nov 2, 1:38 pm)
[patch 5/9] minixfs: limit minixfs printks on corrupted dir ..., Greg KH, (Fri Nov 2, 1:38 pm)
[patch 4/9] IB/uverbs: Fix checking of userspace object owne..., Greg KH, (Fri Nov 2, 1:37 pm)
[patch 3/9] genirq: mark io_apic level interrupts to avoid r..., Greg KH, (Fri Nov 2, 1:37 pm)
[patch 2/9] genirq: suppress resend of level interrupts, Greg KH, (Fri Nov 2, 1:37 pm)
[patch 1/9] genirq: cleanup mismerge artifact, Greg KH, (Fri Nov 2, 1:37 pm)