This is a note to let you know that I've just added the patch titled
mempolicy: fix a memory corruption by refcount imbalance in
alloc_pages_vma()
to the 3.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
mempolicy-fix-a-memory-corruption-by-refcount-imbalance-in-alloc_pages_vma.patch
and it can be found in the queue-3.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 00442ad04a5eac08a98255697c510e708f6082e2 Mon Sep 17 00:00:00 2001
From: Mel Gorman <mgor...@suse.de>
Date: Mon, 8 Oct 2012 16:29:20 -0700
Subject: mempolicy: fix a memory corruption by refcount imbalance in
alloc_pages_vma()
From: Mel Gorman <mgor...@suse.de>
commit 00442ad04a5eac08a98255697c510e708f6082e2 upstream.
Commit cc9a6c877661 ("cpuset: mm: reduce large amounts of memory barrier
related damage v3") introduced a potential memory corruption.
shmem_alloc_page() uses a pseudo vma and it has one significant unique
combination, vma->vm_ops=NULL and vma->policy->flags & MPOL_F_SHARED.
get_vma_policy() does NOT increase a policy ref when vma->vm_ops=NULL
and mpol_cond_put() DOES decrease a policy ref when a policy has
MPOL_F_SHARED. Therefore, when a cpuset update race occurs,
alloc_pages_vma() falls in 'goto retry_cpuset' path, decrements the
reference count and frees the policy prematurely.
Signed-off-by: KOSAKI Motohiro <kosaki.motoh...@jp.fujitsu.com>
Signed-off-by: Mel Gorman <mgor...@suse.de>
Reviewed-by: Christoph Lameter <c...@linux.com>
Cc: Josh Boyer <jwbo...@gmail.com>
Signed-off-by: Andrew Morton <a...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
mm/mempolicy.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1532,8 +1532,18 @@ struct mempolicy *get_vma_policy(struct
addr);
if (vpol)
pol = vpol;
- } else if (vma->vm_policy)
+ } else if (vma->vm_policy) {
pol = vma->vm_policy;
+
+ /*
+ * shmem_alloc_page() passes MPOL_F_SHARED policy with
+ * a pseudo vma whose vma->vm_ops=NULL. Take a reference
+ * count on these policies which will be dropped by
+ * mpol_cond_put() later
+ */
+ if (mpol_needs_cond_ref(pol))
+ mpol_get(pol);
+ }
}
if (!pol)
pol = &default_policy;
Patches currently in stable-queue which might be from mgor...@suse.de are
queue-3.4/mempolicy-fix-a-memory-corruption-by-refcount-imbalance-in-alloc_pages_vma.patch
queue-3.4/mempolicy-fix-a-race-in-shared_policy_replace.patch
queue-3.4/mempolicy-remove-mempolicy-sharing.patch
queue-3.4/revert-mm-mempolicy-let-vma_merge-and-vma_split-handle-vma-vm_policy-linkages.patch
queue-3.4/mm-thp-fix-pmd_present-for-split_huge_page-and-prot_none-with-thp.patch
queue-3.4/mempolicy-fix-refcount-leak-in-mpol_set_shared_policy.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
