From patchwork Tue May 10 18:07:22 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Christoph Lameter (Ampere)" <cl@linux.com>
X-Patchwork-Id: 95021
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 08D9CB6F00
	for <patchwork-incoming@ozlabs.org>;
	Wed, 11 May 2011 04:10:10 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751596Ab1EJSH3 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 10 May 2011 14:07:29 -0400
Received: from smtp107.prem.mail.ac4.yahoo.com ([76.13.13.46]:47034 "HELO
	smtp107.prem.mail.ac4.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with SMTP id S1751593Ab1EJSH1 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 10 May 2011 14:07:27 -0400
Received: (qmail 23994 invoked from network); 10 May 2011 18:07:25 -0000
Received: from router.home (cl@99.30.10.212 with plain)
	by smtp107.prem.mail.ac4.yahoo.com with SMTP;
	10 May 2011 11:07:25 -0700 PDT
X-Yahoo-SMTP: _Dag8S.swBC1p4FJKLCXbs8NQzyse1SYSgnAbY0-
X-YMail-OSG: TPR.gO4VM1km36D2N5LM5S90I2uy07S_Sw_BfG6hMRe33ru
	Y5.vOTJnOrNH8DQLf9cYAhilyHXVIL4hlhbfmDPGWWtuDa4WSAhQ0To6b299
	lmt3Ceqx22WwpAvILBEu9ii_io0uswnckNi7gX3wH5nzi5G8c5JeQ2.Eb3V6
	Hv9YsCFCFNW_vF3S.39sXTfCjefVbu1_dmJS.02KNfAYUs3Zs20FrgULtCZI
	xFfrC_cuGrQdDBb2v.o5XilfZKBx7bi1jTGDQjGImPCQ6YhVie3iuo05fBve
	I2JH3AjZiRza_bLtWP8od8ar6fz4skvB8BBOlBLL08vf18G4O
X-Yahoo-Newman-Property: ymail-3
Received: from cl (helo=localhost)
	by router.home with local-esmtp (Exim 4.71)
	(envelope-from <cl@linux.com>)
	id 1QJrLA-0001AZ-B1; Tue, 10 May 2011 13:07:24 -0500
Date: Tue, 10 May 2011 13:07:22 -0500 (CDT)
From: Christoph Lameter <cl@linux.com>
X-X-Sender: cl@router.home
To: Eric Dumazet <eric.dumazet@gmail.com>
cc: Vegard Nossum <vegardno@ifi.uio.no>,
	Pekka Enberg <penberg@cs.helsinki.fi>, casteyde.christian@free.fr,
	Andrew Morton <akpm@linux-foundation.org>,
	netdev@vger.kernel.org, bugzilla-daemon@bugzilla.kernel.org,
	bugme-daemon@bugzilla.kernel.org
Subject: Re: [Bugme-new] [Bug 33502] New: Caught 64-bit read from
	uninitialized memory in __alloc_skb
In-Reply-To: <alpine.DEB.2.00.1105101242420.2875@router.home>
Message-ID: <alpine.DEB.2.00.1105101304440.4023@router.home>
References: <bug-33502-10286@https.bugzilla.kernel.org/>
	<1303183217.4152.49.camel@edumazet-laptop>
	<alpine.DEB.2.00.1104191210011.17888@router.home>
	<1303244270.2756.3.camel@edumazet-laptop>
	<4DC90D7D.9030808@cs.helsinki.fi>
	<1305022632.2614.18.camel@edumazet-laptop>
	<4DC91137.4030109@cs.helsinki.fi>
	<a49ddd5511b74b8d9b81af8c3ef72d5a@ulrik.uio.no>
	<alpine.DEB.2.00.1105101133440.2611@router.home>
	<1305047682.2758.1.camel@edumazet-laptop>
	<alpine.DEB.2.00.1105101226460.2875@router.home>
	<alpine.DEB.2.00.1105101242420.2875@router.home>
User-Agent: Alpine 2.00 (DEB 1167 2008-08-23)
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

There is a simpler version and we can get away without interrupt disable I
think. The value that we get from the read does not matter since the TID
will not match.


Subject: slub: Make CONFIG_PAGE_ALLOC work with new fastpath

Fastpath can do a speculative access to a page that CONFIG_PAGE_ALLOC may have
marked as invalid to retrieve the pointer to the next free object.

Probe that address before dereferencing the pointer to the page.

Signed-off-by: Christoph Lameter <cl@linux.com>
---
 mm/slub.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Index: linux-2.6/mm/slub.c
===================================================================
--- linux-2.6.orig/mm/slub.c	2011-05-10 12:54:00.000000000 -0500
+++ linux-2.6/mm/slub.c	2011-05-10 13:04:18.000000000 -0500
@@ -261,6 +261,18 @@ static inline void *get_freepointer(stru
 	return *(void **)(object + s->offset);
 }

+static inline void *get_freepointer_safe(struct kmem_cache *s, void *object)
+{
+	void *p;
+
+#ifdef CONFIG_DEBUG_PAGEALLOC
+	probe_kernel_read(&p, (void **)(object + s->offset), sizeof(p));
+#else
+	p = get_freepointer(s, object);
+#endif
+	return p;
+}
+
 static inline void set_freepointer(struct kmem_cache *s, void *object, void *fp)
 {
 	*(void **)(object + s->offset) = fp;
@@ -1943,7 +1955,7 @@ redo:
 		if (unlikely(!irqsafe_cpu_cmpxchg_double(
 				s->cpu_slab->freelist, s->cpu_slab->tid,
 				object, tid,
-				get_freepointer(s, object), next_tid(tid)))) {
+				get_freepointer_safe(s, object), next_tid(tid)))) {

 			note_cmpxchg_failure("slab_alloc", s, tid);
 			goto redo;