Revision f19b9f74b7ea3b21ddcee55d852a6488239608a4 authored by Akinobu Mita on 30 July 2012, 21:42:33 UTC, committed by Linus Torvalds on 31 July 2012, 00:25:20 UTC
The function dup_task() may fail at the following function calls in the
following order.
0) alloc_task_struct_node()
1) alloc_thread_info_node()
2) arch_dup_task_struct()
Error by 0) is not a matter, it can just return. But error by 1) requires
releasing task_struct allocated by 0) before it returns. Likewise, error
by 2) requires releasing task_struct and thread_info allocated by 0) and
1).
The existing error handling calls free_task_struct() and
free_thread_info() which do not only release task_struct and thread_info,
but also call architecture specific arch_release_task_struct() and
arch_release_thread_info().
The problem is that task_struct and thread_info are not fully initialized
yet at this point, but arch_release_task_struct() and
arch_release_thread_info() are called with them.
For example, x86 defines its own arch_release_task_struct() that releases
a task_xstate. If alloc_thread_info_node() fails in dup_task(),
arch_release_task_struct() is called with task_struct which is just
allocated and filled with garbage in this error handling.
This actually happened with tools/testing/fault-injection/failcmd.sh
# env FAILCMD_TYPE=fail_page_alloc \
./tools/testing/fault-injection/failcmd.sh --times=100 \
--min-order=0 --ignore-gfp-wait=0 \
-- make -C tools/testing/selftests/ run_tests
In order to fix this issue, make free_{task_struct,thread_info}() not to
call arch_release_{task_struct,thread_info}() and call
arch_release_{task_struct,thread_info}() implicitly where needed.
Default arch_release_task_struct() and arch_release_thread_info() are
defined as empty by default. So this change only affects the
architectures which implement their own arch_release_task_struct() or
arch_release_thread_info() as listed below.
arch_release_task_struct(): x86, sh
arch_release_thread_info(): mn10300, tile
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Koichi Yasutake <yasutake.koichi@jp.panasonic.com>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: Chris Metcalf <cmetcalf@tilera.com>
Cc: Salman Qazi <sqazi@google.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 87bec58
| File | Mode | Size |
|---|---|---|
| Kconfig | -rw-r--r-- | 13.5 KB |
| Kconfig.debug | -rw-r--r-- | 1015 bytes |
| Makefile | -rw-r--r-- | 1.8 KB |
| backing-dev.c | -rw-r--r-- | 22.3 KB |
| bootmem.c | -rw-r--r-- | 20.8 KB |
| bounce.c | -rw-r--r-- | 6.6 KB |
| cleancache.c | -rw-r--r-- | 6.5 KB |
| compaction.c | -rw-r--r-- | 23.7 KB |
| debug-pagealloc.c | -rw-r--r-- | 2.1 KB |
| dmapool.c | -rw-r--r-- | 13.0 KB |
| fadvise.c | -rw-r--r-- | 3.6 KB |
| failslab.c | -rw-r--r-- | 1.3 KB |
| filemap.c | -rw-r--r-- | 66.7 KB |
| filemap_xip.c | -rw-r--r-- | 11.2 KB |
| fremap.c | -rw-r--r-- | 6.7 KB |
| frontswap.c | -rw-r--r-- | 9.5 KB |
| highmem.c | -rw-r--r-- | 10.3 KB |
| huge_memory.c | -rw-r--r-- | 63.7 KB |
| hugetlb.c | -rw-r--r-- | 79.2 KB |
| hwpoison-inject.c | -rw-r--r-- | 3.3 KB |
| init-mm.c | -rw-r--r-- | 619 bytes |
| internal.h | -rw-r--r-- | 10.0 KB |
| kmemcheck.c | -rw-r--r-- | 2.8 KB |
| kmemleak-test.c | -rw-r--r-- | 3.3 KB |
| kmemleak.c | -rw-r--r-- | 52.6 KB |
| ksm.c | -rw-r--r-- | 54.7 KB |
| maccess.c | -rw-r--r-- | 1.6 KB |
| madvise.c | -rw-r--r-- | 11.8 KB |
| memblock.c | -rw-r--r-- | 28.4 KB |
| memcontrol.c | -rw-r--r-- | 143.4 KB |
| memory-failure.c | -rw-r--r-- | 42.1 KB |
| memory.c | -rw-r--r-- | 108.2 KB |
| memory_hotplug.c | -rw-r--r-- | 24.1 KB |
| mempolicy.c | -rw-r--r-- | 65.7 KB |
| mempool.c | -rw-r--r-- | 10.4 KB |
| migrate.c | -rw-r--r-- | 33.7 KB |
| mincore.c | -rw-r--r-- | 7.8 KB |
| mlock.c | -rw-r--r-- | 15.7 KB |
| mm_init.c | -rw-r--r-- | 3.7 KB |
| mmap.c | -rw-r--r-- | 70.8 KB |
| mmu_context.c | -rw-r--r-- | 1.4 KB |
| mmu_notifier.c | -rw-r--r-- | 9.1 KB |
| mmzone.c | -rw-r--r-- | 2.0 KB |
| mprotect.c | -rw-r--r-- | 7.9 KB |
| mremap.c | -rw-r--r-- | 13.6 KB |
| msync.c | -rw-r--r-- | 2.4 KB |
| nobootmem.c | -rw-r--r-- | 10.6 KB |
| nommu.c | -rw-r--r-- | 50.9 KB |
| oom_kill.c | -rw-r--r-- | 22.0 KB |
| page-writeback.c | -rw-r--r-- | 67.4 KB |
| page_alloc.c | -rw-r--r-- | 165.7 KB |
| page_cgroup.c | -rw-r--r-- | 11.9 KB |
| page_io.c | -rw-r--r-- | 3.5 KB |
| page_isolation.c | -rw-r--r-- | 3.7 KB |
| pagewalk.c | -rw-r--r-- | 5.7 KB |
| percpu-km.c | -rw-r--r-- | 2.8 KB |
| percpu-vm.c | -rw-r--r-- | 12.9 KB |
| percpu.c | -rw-r--r-- | 57.0 KB |
| pgtable-generic.c | -rw-r--r-- | 3.3 KB |
| prio_tree.c | -rw-r--r-- | 6.3 KB |
| process_vm_access.c | -rw-r--r-- | 13.3 KB |
| quicklist.c | -rw-r--r-- | 2.4 KB |
| readahead.c | -rw-r--r-- | 16.1 KB |
| rmap.c | -rw-r--r-- | 52.4 KB |
| shmem.c | -rw-r--r-- | 76.7 KB |
| slab.c | -rw-r--r-- | 120.6 KB |
| slob.c | -rw-r--r-- | 17.1 KB |
| slub.c | -rw-r--r-- | 129.3 KB |
| sparse-vmemmap.c | -rw-r--r-- | 5.9 KB |
| sparse.c | -rw-r--r-- | 20.5 KB |
| swap.c | -rw-r--r-- | 21.2 KB |
| swap_state.c | -rw-r--r-- | 10.2 KB |
| swapfile.c | -rw-r--r-- | 63.8 KB |
| truncate.c | -rw-r--r-- | 19.0 KB |
| util.c | -rw-r--r-- | 8.9 KB |
| vmalloc.c | -rw-r--r-- | 65.5 KB |
| vmscan.c | -rw-r--r-- | 93.5 KB |
| vmstat.c | -rw-r--r-- | 33.3 KB |
Computing file changes ...
