On Tue, 20 Aug 2013 14:54:53 +0800 Wanpeng Li <liwanp@xxxxxxxxxxxxxxxxxx> wrote:
> preallocate_pmds will continue to preallocate pmds even if failure
> occurrence, and then free all the preallocate pmds if there is
> failure, this patch fix it by stop preallocate if failure occurrence
> and go to free path.
>
> ...
>
> --- a/arch/x86/mm/pgtable.c
> +++ b/arch/x86/mm/pgtable.c
> @@ -196,21 +196,18 @@ static void free_pmds(pmd_t *pmds[])
> static int preallocate_pmds(pmd_t *pmds[])
> {
> int i;
> - bool failed = false;
>
> for(i = 0; i < PREALLOCATED_PMDS; i++) {
> pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
> if (pmd == NULL)
> - failed = true;
> + goto err;
> pmds[i] = pmd;
> }
>
> - if (failed) {
> - free_pmds(pmds);
> - return -ENOMEM;
> - }
> -
> return 0;
> +err:
> + free_pmds(pmds);
> + return -ENOMEM;
> }
Nope. If the error path is taken, free_pmds() will free uninitialised
items from pmds[], which is a local in pgd_alloc() and contains random
stack junk. The kernel will crash.
You could pass an nr_pmds argument to free_pmds(), or zero out the
remaining items on the error path. However, although the current code
is a bit kooky, I don't see that it is harmful in any way.
> Reviewed-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>
Ahem.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>