On Fri 14-06-13 14:31:24, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > The patch below does not apply to the 3.9-stable tree. > If someone wants it applied there, or to any other stable or longterm > tree, then please email the backport, including the original git commit > id to <stable@xxxxxxxxxxxxxxx>. Patch doesn't apply to 3.9 because the bug has been introduced by 5f578161 (memcg: relax memcg iter caching) merged after 3.9. Sorry, I should have spotted this earlier. > thanks, > > greg k-h > > ------------------ original commit in Linus's tree ------------------ > > From 89dc991f0f5272c307c746fdd57d0bff382b1ba2 Mon Sep 17 00:00:00 2001 > From: Johannes Weiner <hannes@xxxxxxxxxxx> > Date: Wed, 12 Jun 2013 14:05:09 -0700 > Subject: [PATCH] mm: memcontrol: fix lockless reclaim hierarchy iterator > > The lockless reclaim hierarchy iterator currently has a misplaced > barrier that can lead to use-after-free crashes. > > The reclaim hierarchy iterator consist of a sequence count and a > position pointer that are read and written locklessly, with memory > barriers enforcing ordering. > > The write side sets the position pointer first, then updates the > sequence count to "publish" the new position. Likewise, the read side > must read the sequence count first, then the position. If the sequence > count is up to date, it's guaranteed that the position is up to date as > well: > > writer: reader: > iter->position = position if iter->sequence == expected: > smp_wmb() smp_rmb() > iter->sequence = sequence position = iter->position > > However, the read side barrier is currently misplaced, which can lead to > dereferencing stale position pointers that no longer point to valid > memory. Fix this. > > Signed-off-by: Johannes Weiner <hannes@xxxxxxxxxxx> > Reported-by: Tejun Heo <tj@xxxxxxxxxx> > Reviewed-by: Tejun Heo <tj@xxxxxxxxxx> > Acked-by: Michal Hocko <mhocko@xxxxxxx> > Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx> > Cc: Glauber Costa <glommer@xxxxxxxxxxxxx> > Cc: <stable@xxxxxxxxxx> [3.10+] > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > > diff --git a/mm/memcontrol.c b/mm/memcontrol.c > index 931e38c..1947218 100644 > --- a/mm/memcontrol.c > +++ b/mm/memcontrol.c > @@ -1199,7 +1199,6 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root, > > mz = mem_cgroup_zoneinfo(root, nid, zid); > iter = &mz->reclaim_iter[reclaim->priority]; > - last_visited = iter->last_visited; > if (prev && reclaim->generation != iter->generation) { > iter->last_visited = NULL; > goto out_unlock; > @@ -1218,13 +1217,12 @@ struct mem_cgroup *mem_cgroup_iter(struct mem_cgroup *root, > * is alive. > */ > dead_count = atomic_read(&root->dead_count); > - smp_rmb(); > - last_visited = iter->last_visited; > - if (last_visited) { > - if ((dead_count != iter->last_dead_count) || > - !css_tryget(&last_visited->css)) { > + if (dead_count == iter->last_dead_count) { > + smp_rmb(); > + last_visited = iter->last_visited; > + if (last_visited && > + !css_tryget(&last_visited->css)) > last_visited = NULL; > - } > } > } > > -- Michal Hocko SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html