[PATCH] race in mempool_alloc/free

From: Chris Mason
Date: Thu Mar 11 2004 - 15:45:49 EST

Next message: Christophe Saout: "Re: LKM rootkits in 2.6.x"
Previous message: Horst von Brand: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello everyone,

mempool_alloc and mempool_free check pool->curr_nr without any locks
held. This can lead to skipping a wakeup when there are people waiting,
and sleeping when there are free elements in the pool.

I can't trigger this reliably, but sooner or later someone on ppc is
probably going to hit it.

-chris

--- linux.t.orig/mm/mempool.c 2004-03-11 14:34:50.000000000 -0500
+++ linux.t/mm/mempool.c 2004-03-11 14:38:30.000000000 -0500
@@ -203,6 +203,7 @@
* If the pool is less than 50% full and we can perform effective
* page reclaim then try harder to allocate an element.
*/
+ mb();
if ((gfp_mask & __GFP_FS) && (gfp_mask != gfp_nowait) &&
(pool->curr_nr <= pool->min_nr/2)) {
element = pool->alloc(gfp_mask, pool->pool_data);
@@ -230,6 +231,7 @@
blk_run_queues();

prepare_to_wait(&pool->wait, &wait, TASK_UNINTERRUPTIBLE);
+ mb();
if (!pool->curr_nr)
io_schedule();
finish_wait(&pool->wait, &wait);
@@ -250,6 +252,7 @@
{
unsigned long flags;

+ mb();
if (pool->curr_nr < pool->min_nr) {
spin_lock_irqsave(&pool->lock, flags);
if (pool->curr_nr < pool->min_nr) {

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christophe Saout: "Re: LKM rootkits in 2.6.x"
Previous message: Horst von Brand: "Re: LKM rootkits in 2.6.x"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]