On Thu, 26 Jan 2012, Louis Alex Eisner wrote:
>
> I hope I'm sending this to the right people, but I wasn't sure who to
> send it to, since I'm not entirely sure exactly where the bug lives.
> Without further ado:
>
> Summary:
> When multiple threads simultaneously attempt to write to the same page of a
> file which has been mmapped using XIP for the first time, an unhandled
> EBUSY signal causes the kernel to panic.
Thanks a lot for your report, and all the info you carefully gathered.
I confess that I haven't looked at it at all! Because I was thinking
maybe I should take a look, and when did we last hear from Carsten?
And though I now see more recent postings from him in other fields,
what came first to my eye was this nugget below.
It was white-space-damaged and wouldn't apply (I bet that's why it
got lost), so I've fixed that up and reformatted the description,
and added you as a Reporter - but otherwise it's as Carsten posted.
Hugh
>From carsteno@xxxxxxxxxx Thu Jul 15 09:19:45 2010
Date: Thu, 15 Jul 2010 18:20:24 +0200
From: Carsten Otte <carsteno@xxxxxxxxxx>
To: akpm@xxxxxxxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, linux-mm@xxxxxxxxx, npiggin@xxxxxxx
Cc: jaredeh@xxxxxxxxx, Martin Schwidefsky <schwidefsky@xxxxxxxxxx>, stable@xxxxxxxxxx
Subject: [PATCH mm/filemap_xip.c] Fix race condition in xip_file_fault
This patch fixes a race condition that shows in conjunction with
xip_file_fault when two threads of the same user process fault on
the same memory page.
In this case, the race winner will install the page table entry,
and the unlucky loser will cause an oops: xip_file_fault calls
vm_insert_pfn (via vm_insert_mixed) which drops out at this check:
retval = -EBUSY;
if (!pte_none(*pte))
goto out_unlock;
The resulting -EBUSY return value will trigger a BUG_ON() in
xip_file_fault.
This fix simply considers the fault as fixed in this case,
because the race winner has successfully installed the pte.
Reported-by: David Sadler <dsadler@xxxxxxxxxx>
Signed-off-by: Carsten Otte <cotte@xxxxxxxxxx>
Reported-by: Louis Alex Eisner <leisner@xxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
mm/filemap_xip.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/mm/filemap_xip.c
+++ b/mm/filemap_xip.c
@@ -263,7 +263,10 @@ found:
xip_pfn);
if (err == -ENOMEM)
return VM_FAULT_OOM;
- BUG_ON(err);
+ /* err == -EBUSY is fine, we've raced against another thread
+ that faulted-in the same page */
+ if (err != -EBUSY)
+ BUG_ON(err);
return VM_FAULT_NOPAGE;
} else {
int err, ret = VM_FAULT_OOM;
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>