[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.00.1105101403110.4023@router.home>
Date: Tue, 10 May 2011 14:05:47 -0500 (CDT)
From: Christoph Lameter <cl@...ux.com>
To: Eric Dumazet <eric.dumazet@...il.com>
cc: Vegard Nossum <vegardno@....uio.no>,
Pekka Enberg <penberg@...helsinki.fi>,
casteyde.christian@...e.fr,
Andrew Morton <akpm@...ux-foundation.org>,
netdev@...r.kernel.org, bugzilla-daemon@...zilla.kernel.org,
bugme-daemon@...zilla.kernel.org
Subject: Re: [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized
memory in __alloc_skb
On Tue, 10 May 2011, Christoph Lameter wrote:
> > This other cpu can free the object and unmap page right after you did
> > the probe_kernel_address(object) (successfully), and before your cpu :
> >
> > p = get_freepointer(s, object); << BUG >>
>
> If the other cpu frees the object and unmaps the page then
> get_freepointer_safe() can obtain an arbitrary value since the TID was
> incremented. We will restart the loop and discard the value retrieved.
Ok. Forgot the element there of a different cpu. A different cpu cannot
unmap the page or free the page since the page is in a frozen state while
we allocate from it.
The page is only handled by the cpu it was assigned to until the cpu which
froze it releases it.
The only case that we need to protect against here is the case when an
interrupt or reschedule causes the *same* cpu to release the page. In that
case the TID must have been incremented.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists