linux/mm
Nick Piggin 27d20fddc8 radix-tree: fix RCU bug
Salman Qazi describes the following radix-tree bug:

In the following case, we get can get a deadlock:

0.  The radix tree contains two items, one has the index 0.
1.  The reader (in this case find_get_pages) takes the rcu_read_lock.
2.  The reader acquires slot(s) for item(s) including the index 0 item.
3.  The non-zero index item is deleted, and as a consequence the other item is
    moved to the root of the tree. The place where it used to be is queued for
    deletion after the readers finish.
3b. The zero item is deleted, removing it from the direct slot, it remains in
    the rcu-delayed indirect node.
4.  The reader looks at the index 0 slot, and finds that the page has 0 ref
    count
5.  The reader looks at it again, hoping that the item will either be freed or
    the ref count will increase. This never happens, as the slot it is looking
    at will never be updated. Also, this slot can never be reclaimed because
    the reader is holding rcu_read_lock and is in an infinite loop.

The fix is to re-use the same "indirect" pointer case that requires a slot
lookup retry into a general "retry the lookup" bit.

Signed-off-by: Nick Piggin <npiggin@kernel.dk>
Reported-by: Salman Qazi <sqazi@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-11-12 07:55:32 -08:00
..
backing-dev.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2010-10-26 17:58:44 -07:00
bootmem.c
bounce.c
compaction.c
debug-pagealloc.c
dmapool.c mm: add a might_sleep_if() to dma_pool_alloc() 2010-10-26 16:52:08 -07:00
fadvise.c
failslab.c
filemap_xip.c
filemap.c radix-tree: fix RCU bug 2010-11-12 07:55:32 -08:00
fremap.c
highmem.c mm,x86: fix kmap_atomic_push vs ioremap_32.c 2010-10-27 18:03:05 -07:00
hugetlb.c mm/hugetlb.c: add missing spin_lock() to hugetlb_cow() 2010-10-26 16:52:11 -07:00
hwpoison-inject.c
init-mm.c
internal.h mm: fix is_mem_section_removable() page_order BUG_ON check 2010-10-26 16:52:11 -07:00
Kconfig
Kconfig.debug
kmemcheck.c
kmemleak-test.c
kmemleak.c
ksm.c
maccess.c MN10300: Save frame pointer in thread_info struct rather than global var 2010-10-27 17:29:01 +01:00
madvise.c
Makefile
memblock.c
memcontrol.c memcg: null dereference on allocation failure 2010-11-12 07:55:31 -08:00
memory_hotplug.c mm: do_migrate_range: reduce list_empty() check 2010-10-26 16:52:11 -07:00
memory-failure.c
memory.c use clear_page()/copy_page() in favor of memset()/memcpy() on whole pages 2010-10-26 16:52:13 -07:00
mempolicy.c numa: fix slab_node(MPOL_BIND) 2010-10-28 10:04:30 -07:00
mempool.c
migrate.c mm: fix error reporting in move_pages() syscall 2010-10-26 16:52:11 -07:00
mincore.c
mlock.c
mm_init.c mm: mminit_loglevel cannot be __meminitdata anymore 2008-08-20 15:40:30 -07:00
mmap.c audit mmap 2010-10-30 08:45:43 -04:00
mmu_context.c
mmu_notifier.c
mmzone.c
mprotect.c perf_events: Fix perf_counter_mmap() hook in mprotect() 2010-11-09 10:19:38 -08:00
mremap.c mm: remove pte_*map_nested() 2010-10-26 16:52:08 -07:00
msync.c
nommu.c audit mmap 2010-10-30 08:45:43 -04:00
oom_kill.c
page_alloc.c mm: add casts to/from gfp_t in gfp_to_alloc_flags() 2010-10-26 16:52:09 -07:00
page_cgroup.c
page_io.c
page_isolation.c mm: page_isolation: codeclean fix comment and rm unneeded val init 2010-10-26 16:52:11 -07:00
page-writeback.c writeback: remove the internal 5% low bound on dirty_ratio 2010-10-26 16:52:08 -07:00
pagewalk.c
percpu-km.c
percpu-vm.c
percpu.c
prio_tree.c
quicklist.c
readahead.c
rmap.c rmap: make anon_vma_chain_free() static 2010-10-26 16:52:10 -07:00
shmem.c convert get_sb_nodev() users 2010-10-29 04:16:31 -04:00
slab.c replace nested max/min macros with {max,min}3 macro 2010-10-26 16:52:12 -07:00
slob.c
slub.c
sparse-vmemmap.c
sparse.c
swap_state.c
swap.c fuse: use release_pages() 2010-10-27 18:03:17 -07:00
swapfile.c /proc/swaps: support polling 2010-10-26 16:52:11 -07:00
thrash.c
truncate.c
util.c
vmalloc.c mm: add vzalloc() and vzalloc_node() helpers 2010-10-26 16:52:10 -07:00
vmscan.c vmscan: avoid setting zone congested if no page dirty 2010-11-12 07:55:31 -08:00
vmstat.c vmstat: fix offset calculation on void* 2010-11-03 14:39:58 -04:00