On 03/09/2017 12:40 PM, Dmitry Vyukov wrote: > quarantine_remove_cache() frees all pending objects that belong to the > cache, before we destroy the cache itself. However there are currently > two possibilities how it can fail to do so. > > First, another thread can hold some of the objects from the cache in > temp list in quarantine_put(). quarantine_put() has a windows of enabled > interrupts, and on_each_cpu() in quarantine_remove_cache() can finish > right in that window. These objects will be later freed into the > destroyed cache. > > Then, quarantine_reduce() has the same problem. It grabs a batch of > objects from the global quarantine, then unlocks quarantine_lock and > then frees the batch. quarantine_remove_cache() can finish while some > objects from the cache are still in the local to_free list in > quarantine_reduce(). > > Fix the race with quarantine_put() by disabling interrupts for the > whole duration of quarantine_put(). In combination with on_each_cpu() > in quarantine_remove_cache() it ensures that quarantine_remove_cache() > either sees the objects in the per-cpu list or in the global list. > > Fix the race with quarantine_reduce() by protecting quarantine_reduce() > with srcu critical section and then doing synchronize_srcu() at the end > of quarantine_remove_cache(). > > Signed-off-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > Cc: kasan-dev@xxxxxxxxxxxxxxxx > Cc: linux-mm@xxxxxxxxx > Cc: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx> > Cc: Greg Thelen <gthelen@xxxxxxxxxx> > Acked-by: Andrey Ryabinin <aryabinin@xxxxxxxxxxxxx> -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
