lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Tue, 11 Oct 2011 23:56:23 -0400
From:	Steven Rostedt <rostedt@...dmis.org>
To:	LKML <linux-kernel@...r.kernel.org>,
	RT <linux-rt-users@...r.kernel.org>
Cc:	Thomas Gleixner <tglx@...utronix.de>,
	"Luis Claudio R. Goncalves" <lgoncalv@...hat.com>,
	Clark Williams <clark@...hat.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>
Subject: [PATCH][RT] slab: Fix __do_drain to use the right array cache

The array cache in __do_drain() was using the cpu_cache_get() function
which uses smp_processor_id() to get the proper array. On mainline, this
is fine as __do_drain() is called by for_each_cpu() which runs
__do_drain() on the CPU it is processing. In RT locks are used instead
and __do_drain() is only called from a single CPU. This can cause the
accounting to be off and trigger the following bug:

slab error in kmem_cache_destroy(): cache `nfs_write_data': Can't free all objects
Pid: 2905, comm: rmmod Not tainted 3.0.6-test-rt17+ #78
Call Trace:
 [<ffffffff810fb623>] kmem_cache_destroy+0xa0/0xdf
 [<ffffffffa03aaffb>] nfs_destroy_writepagecache+0x49/0x4e [nfs]
 [<ffffffffa03c0fe0>] exit_nfs_fs+0xe/0x46 [nfs]
 [<ffffffff8107af09>] sys_delete_module+0x1ba/0x22c
 [<ffffffff8109429d>] ? audit_syscall_entry+0x11c/0x148
 [<ffffffff814b6442>] system_call_fastpath+0x16/0x1b

This can be easily triggered by a simple while loop:

# while :; do modprobe nfs; rmmod nfs; done

The proper function to use is cpu_cache_get_on_cpu(). It works for both
RT and non-RT as the non-RT passes in smp_processor_id() into
__do_drain().

Signed-off-by: Steven Rostedt <rostedt@...dmis.org>

Index: linux-rt.git/mm/slab.c
===================================================================
--- linux-rt.git.orig/mm/slab.c
+++ linux-rt.git/mm/slab.c
@@ -2601,7 +2601,7 @@ static void __do_drain(void *arg, unsign
 	struct array_cache *ac;
 	int node = cpu_to_mem(cpu);
 
-	ac = cpu_cache_get(cachep);
+	ac = cpu_cache_get_on_cpu(cachep, cpu);
 	spin_lock(&cachep->nodelists[node]->list_lock);
 	free_block(cachep, ac->entry, ac->avail, node);
 	spin_unlock(&cachep->nodelists[node]->list_lock);


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ