On Wed, 30 May 2012 12:20:10 -0700
Pravin B Shelar <pshelar@xxxxxxxxxx> wrote:
> On arches that do not support this_cpu_cmpxchg_double slab_lock is used
> to do atomic cmpxchg() on double word which contains page->_count.
> page count can be changed from get_page() or put_page() without taking
> slab_lock. That corrupts page counter.
>
> Following patch fixes it by moving page->_count out of cmpxchg_double
> data. So that slub does no change it while updating slub meta-data in
> struct page.
>
> Reported-by: Amey Bhide <abhide@xxxxxxxxxx>
> Signed-off-by: Pravin B Shelar <pshelar@xxxxxxxxxx>
> Acked-by: Christoph Lameter <cl@xxxxxxxxx>
> ---
> include/linux/mm_types.h | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
> index 18b48c4..e54a6b0 100644
> --- a/include/linux/mm_types.h
> +++ b/include/linux/mm_types.h
> @@ -57,8 +57,16 @@ struct page {
> };
>
> union {
> +#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
> + defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
> /* Used for cmpxchg_double in slub */
> unsigned long counters;
> +#else
> + /* Keep _count separate from slub cmpxchg_double data,
> + * As rest of double word is protected by slab_lock
> + * but _count is not. */
> + unsigned counters;
> +#endif
>
> struct {
OK. I assume this bug has been there for quite some time.
How serious is it? Have people been reporting it in real workloads?
How to trigger it? IOW, does this need -stable backporting?
Also, someone forgot to document these:
struct {
unsigned inuse:16;
unsigned objects:15;
unsigned frozen:1;
};
pls fix.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>