[patch 15/19] x86: fix global_flush_tlb() bug

From: Greg KH
Date: Thu Nov 15 2007 - 01:22:07 EST

Next message: Greg KH: "[patch 16/19] x86 setup: handle boot loaders which set up thestack incorrectly"
Previous message: Greg KH: "[patch 14/19] xfs: eagerly remove vmap mappings to avoid upsettingXen"
In reply to: Greg KH: "[patch 14/19] xfs: eagerly remove vmap mappings to avoid upsettingXen"
Next in thread: Greg KH: "[patch 16/19] x86 setup: handle boot loaders which set up thestack incorrectly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.

------------------
From: Ingo Molnar <mingo@xxxxxxx>

patch 9a24d04a3c26c223f22493492c5c9085b8773d4a upstream

While we were reviewing pageattr_32/64.c for unification,
Thomas Gleixner noticed the following serious SMP bug in
global_flush_tlb():

down_read(&init_mm.mmap_sem);
list_replace_init(&deferred_pages, &l);
up_read(&init_mm.mmap_sem);

this is SMP-unsafe because list_replace_init() done on two CPUs in
parallel can corrupt the list.

This bug has been introduced about a year ago in the 64-bit tree:

commit ea7322decb974a4a3e804f96a0201e893ff88ce3
Author: Andi Kleen <ak@xxxxxxx>
Date: Thu Dec 7 02:14:05 2006 +0100

[PATCH] x86-64: Speed and clean up cache flushing in change_page_attr

down_read(&init_mm.mmap_sem);
- dpage = xchg(&deferred_pages, NULL);
+ list_replace_init(&deferred_pages, &l);
up_read(&init_mm.mmap_sem);

the xchg() based version was SMP-safe, but list_replace_init() is not.
So this "cleanup" introduced a nasty bug.

why this bug never become prominent is a mystery - it can probably be
explained with the (still) relative obscurity of the x86_64 architecture.

the safe fix for now is to write-lock init_mm.mmap_sem.

Signed-off-by: Ingo Molnar <mingo@xxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Andi Kleen <ak@xxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
arch/x86_64/mm/pageattr.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

--- a/arch/x86_64/mm/pageattr.c
+++ b/arch/x86_64/mm/pageattr.c
@@ -229,9 +229,14 @@ void global_flush_tlb(void)
struct page *pg, *next;
struct list_head l;

- down_read(&init_mm.mmap_sem);
+ /*
+ * Write-protect the semaphore, to exclude two contexts
+ * doing a list_replace_init() call in parallel and to
+ * exclude new additions to the deferred_pages list:
+ */
+ down_write(&init_mm.mmap_sem);
list_replace_init(&deferred_pages, &l);
- up_read(&init_mm.mmap_sem);
+ up_write(&init_mm.mmap_sem);

flush_map(&l);

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 16/19] x86 setup: handle boot loaders which set up thestack incorrectly"
Previous message: Greg KH: "[patch 14/19] xfs: eagerly remove vmap mappings to avoid upsettingXen"
In reply to: Greg KH: "[patch 14/19] xfs: eagerly remove vmap mappings to avoid upsettingXen"
Next in thread: Greg KH: "[patch 16/19] x86 setup: handle boot loaders which set up thestack incorrectly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]