[Devel] [PATCH rh7] tcache: fix use-after-free in tcache_invalidate_node_pages()
Andrey Ryabinin
aryabinin at virtuozzo.com
Tue Dec 8 07:52:50 PST 2015
tcache_invalidate_node_pages() temporarly drops/takes back node->tree_lock.
Once lock was dropped, another thread might remove and free the next slot.
Don't drop the looks.
https://jira.sw.ru/browse/PSBM-42104
Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
---
mm/tcache.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/mm/tcache.c b/mm/tcache.c
index b8757cf..9bb88b4 100644
--- a/mm/tcache.c
+++ b/mm/tcache.c
@@ -121,8 +121,9 @@ static struct tcache_lru *tcache_lru_node;
/*
* Locking rules:
*
- * - tcache_node_tree->lock nests inside tcache_node->tree_lock
- * - tcache_lru->lock is independent
+ * tcache_node->tree_lock
+ * tcache_node_tree->lock
+ * tcache_lru->lock
*/
/* Enable/disable tcache backend (set at boot time) */
@@ -677,16 +678,8 @@ tcache_invalidate_node_pages(struct tcache_node *node)
radix_tree_for_each_slot(slot, &node->page_tree, &iter, 0) {
page = radix_tree_deref_slot_protected(slot, &node->tree_lock);
BUG_ON(!__tcache_page_tree_delete(node, page->index, page));
- spin_unlock(&node->tree_lock);
-
tcache_lru_del(page);
put_page(page);
-
- local_irq_enable();
- cond_resched();
- local_irq_disable();
-
- spin_lock(&node->tree_lock);
}
BUG_ON(node->nr_pages != 0);
--
2.4.10
More information about the Devel
mailing list