Revision 0d777df5d8953293be090d9ab5a355db893e8357 authored by Naoya Horiguchi on 11 December 2015, 21:40:49 UTC, committed by Linus Torvalds on 12 December 2015, 18:15:34 UTC
Currently at the beginning of hugetlb_fault(), we call huge_pte_offset() and check whether the obtained *ptep is a migration/hwpoison entry or not. And if not, then we get to call huge_pte_alloc(). This is racy because the *ptep could turn into migration/hwpoison entry after the huge_pte_offset() check. This race results in BUG_ON in huge_pte_alloc(). We don't have to call huge_pte_alloc() when the huge_pte_offset() returns non-NULL, so let's fix this bug with moving the code into else block. Note that the *ptep could turn into a migration/hwpoison entry after this block, but that's not a problem because we have another !pte_present check later (we never go into hugetlb_no_page() in that case.) Fixes: 290408d4a250 ("hugetlb: hugepage migration core") Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com> Acked-by: Hillf Danton <hillf.zj@alibaba-inc.com> Acked-by: David Rientjes <rientjes@google.com> Cc: Hugh Dickins <hughd@google.com> Cc: Dave Hansen <dave.hansen@intel.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Mike Kravetz <mike.kravetz@oracle.com> Cc: <stable@vger.kernel.org> [2.6.36+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 86fffe4
cma_debug.c
/*
* CMA DebugFS Interface
*
* Copyright (c) 2015 Sasha Levin <sasha.levin@oracle.com>
*/
#include <linux/debugfs.h>
#include <linux/cma.h>
#include <linux/list.h>
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/mm_types.h>
#include "cma.h"
struct cma_mem {
struct hlist_node node;
struct page *p;
unsigned long n;
};
static struct dentry *cma_debugfs_root;
static int cma_debugfs_get(void *data, u64 *val)
{
unsigned long *p = data;
*val = *p;
return 0;
}
DEFINE_SIMPLE_ATTRIBUTE(cma_debugfs_fops, cma_debugfs_get, NULL, "%llu\n");
static int cma_used_get(void *data, u64 *val)
{
struct cma *cma = data;
unsigned long used;
mutex_lock(&cma->lock);
/* pages counter is smaller than sizeof(int) */
used = bitmap_weight(cma->bitmap, (int)cma_bitmap_maxno(cma));
mutex_unlock(&cma->lock);
*val = (u64)used << cma->order_per_bit;
return 0;
}
DEFINE_SIMPLE_ATTRIBUTE(cma_used_fops, cma_used_get, NULL, "%llu\n");
static int cma_maxchunk_get(void *data, u64 *val)
{
struct cma *cma = data;
unsigned long maxchunk = 0;
unsigned long start, end = 0;
unsigned long bitmap_maxno = cma_bitmap_maxno(cma);
mutex_lock(&cma->lock);
for (;;) {
start = find_next_zero_bit(cma->bitmap, bitmap_maxno, end);
if (start >= cma->count)
break;
end = find_next_bit(cma->bitmap, bitmap_maxno, start);
maxchunk = max(end - start, maxchunk);
}
mutex_unlock(&cma->lock);
*val = (u64)maxchunk << cma->order_per_bit;
return 0;
}
DEFINE_SIMPLE_ATTRIBUTE(cma_maxchunk_fops, cma_maxchunk_get, NULL, "%llu\n");
static void cma_add_to_cma_mem_list(struct cma *cma, struct cma_mem *mem)
{
spin_lock(&cma->mem_head_lock);
hlist_add_head(&mem->node, &cma->mem_head);
spin_unlock(&cma->mem_head_lock);
}
static struct cma_mem *cma_get_entry_from_list(struct cma *cma)
{
struct cma_mem *mem = NULL;
spin_lock(&cma->mem_head_lock);
if (!hlist_empty(&cma->mem_head)) {
mem = hlist_entry(cma->mem_head.first, struct cma_mem, node);
hlist_del_init(&mem->node);
}
spin_unlock(&cma->mem_head_lock);
return mem;
}
static int cma_free_mem(struct cma *cma, int count)
{
struct cma_mem *mem = NULL;
while (count) {
mem = cma_get_entry_from_list(cma);
if (mem == NULL)
return 0;
if (mem->n <= count) {
cma_release(cma, mem->p, mem->n);
count -= mem->n;
kfree(mem);
} else if (cma->order_per_bit == 0) {
cma_release(cma, mem->p, count);
mem->p += count;
mem->n -= count;
count = 0;
cma_add_to_cma_mem_list(cma, mem);
} else {
pr_debug("cma: cannot release partial block when order_per_bit != 0\n");
cma_add_to_cma_mem_list(cma, mem);
break;
}
}
return 0;
}
static int cma_free_write(void *data, u64 val)
{
int pages = val;
struct cma *cma = data;
return cma_free_mem(cma, pages);
}
DEFINE_SIMPLE_ATTRIBUTE(cma_free_fops, NULL, cma_free_write, "%llu\n");
static int cma_alloc_mem(struct cma *cma, int count)
{
struct cma_mem *mem;
struct page *p;
mem = kzalloc(sizeof(*mem), GFP_KERNEL);
if (!mem)
return -ENOMEM;
p = cma_alloc(cma, count, 0);
if (!p) {
kfree(mem);
return -ENOMEM;
}
mem->p = p;
mem->n = count;
cma_add_to_cma_mem_list(cma, mem);
return 0;
}
static int cma_alloc_write(void *data, u64 val)
{
int pages = val;
struct cma *cma = data;
return cma_alloc_mem(cma, pages);
}
DEFINE_SIMPLE_ATTRIBUTE(cma_alloc_fops, NULL, cma_alloc_write, "%llu\n");
static void cma_debugfs_add_one(struct cma *cma, int idx)
{
struct dentry *tmp;
char name[16];
int u32s;
sprintf(name, "cma-%d", idx);
tmp = debugfs_create_dir(name, cma_debugfs_root);
debugfs_create_file("alloc", S_IWUSR, tmp, cma,
&cma_alloc_fops);
debugfs_create_file("free", S_IWUSR, tmp, cma,
&cma_free_fops);
debugfs_create_file("base_pfn", S_IRUGO, tmp,
&cma->base_pfn, &cma_debugfs_fops);
debugfs_create_file("count", S_IRUGO, tmp,
&cma->count, &cma_debugfs_fops);
debugfs_create_file("order_per_bit", S_IRUGO, tmp,
&cma->order_per_bit, &cma_debugfs_fops);
debugfs_create_file("used", S_IRUGO, tmp, cma, &cma_used_fops);
debugfs_create_file("maxchunk", S_IRUGO, tmp, cma, &cma_maxchunk_fops);
u32s = DIV_ROUND_UP(cma_bitmap_maxno(cma), BITS_PER_BYTE * sizeof(u32));
debugfs_create_u32_array("bitmap", S_IRUGO, tmp, (u32*)cma->bitmap, u32s);
}
static int __init cma_debugfs_init(void)
{
int i;
cma_debugfs_root = debugfs_create_dir("cma", NULL);
if (!cma_debugfs_root)
return -ENOMEM;
for (i = 0; i < cma_area_count; i++)
cma_debugfs_add_one(&cma_areas[i], i);
return 0;
}
late_initcall(cma_debugfs_init);
Computing file changes ...