Welcome to Soft32 Linux Forums!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

[PATCH 1/1] MM: swapfile, fix crash on double swapon

  
   Soft32 Home -> Linux -> Kernel RSS
Next:  possibly corrupted Packages files / UDD import pr..  
Author Message
Jiri Slaby

External


Since: Nov 04, 2006
Posts: 520



(Msg. 1) Posted: Mon Nov 02, 2009 5:20 am
Post subject: [PATCH 1/1] MM: swapfile, fix crash on double swapon
Archived from groups: linux>kernel (more info?)
Double swapon on a device causes a crash:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffff810af160>] sys_swapon+0x1f0/0xc60
PGD 1dc0b067 PUD 1dc09067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file:
CPU 1
Modules linked in:
Pid: 562, comm: swapon Tainted: G W 2.6.32-rc5-mm1_64 #867
RIP: 0010:[<ffffffff810af160>] [<ffffffff810af160>] sys_swapon+0x1f0/0xc60
....

It is due to swap_info_struct->first_swap_extent.list not being
initialized. ->next is NULL in such a situation and
destroy_swap_extents fails to iterate over the list with the BUG
above.

Introduced by swap_info-include-first_swap_extent.patch. Revert the
INIT_LIST_HEAD move.

Signed-off-by: Jiri Slaby <jirislaby.RemoveThis@gmail.com>
Cc: Hugh Dickins <hugh.dickins.RemoveThis@tiscali.co.uk>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu.RemoveThis@jp.fujitsu.com>
Cc: Rik van Riel <riel.RemoveThis@redhat.com>
---
mm/swapfile.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/mm/swapfile.c b/mm/swapfile.c
index 93e71cf..26ef6a2 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -1313,7 +1313,6 @@ add_swap_extent(struct swap_info_struct *sis, unsigned long start_page,
if (start_page == 0) {
se = &sis->first_swap_extent;
sis->curr_swap_extent = se;
- INIT_LIST_HEAD(&se->list);
se->start_page = 0;
se->nr_pages = nr_pages;
se->start_block = start_block;
@@ -1769,6 +1768,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
kfree(p);
goto out;
}
+ INIT_LIST_HEAD(&p->first_swap_extent.list);
if (type >= nr_swapfiles) {
p->type = type;
swap_info[type] = p;
--
1.6.4.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.RemoveThis@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Back to top
Login to vote
Hugh Dickins

External


Since: Jun 01, 2009
Posts: 69



(Msg. 2) Posted: Mon Nov 02, 2009 7:20 am
Post subject: Re: [PATCH 1/1] MM: swapfile, fix crash on double swapon [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Mon, 2 Nov 2009, Jiri Slaby wrote:

> Double swapon on a device causes a crash:
> BUG: unable to handle kernel NULL pointer dereference at (null)

Thanks a lot for finding that: it doesn't just happen with a double
swapon of the same device, it happens with most kinds of error in
the swapon sequence. I thought I was being nice and tidy moving
that initialization, but actually I was just being careless.

> IP: [<ffffffff810af160>] sys_swapon+0x1f0/0xc60
> PGD 1dc0b067 PUD 1dc09067 PMD 0
> Oops: 0000 [#1] SMP
> last sysfs file:
> CPU 1
> Modules linked in:
> Pid: 562, comm: swapon Tainted: G W 2.6.32-rc5-mm1_64 #867
> RIP: 0010:[<ffffffff810af160>] [<ffffffff810af160>] sys_swapon+0x1f0/0xc60
> ...
>
> It is due to swap_info_struct->first_swap_extent.list not being
> initialized. ->next is NULL in such a situation and
> destroy_swap_extents fails to iterate over the list with the BUG
> above.
>
> Introduced by swap_info-include-first_swap_extent.patch. Revert the
> INIT_LIST_HEAD move.
>
> Signed-off-by: Jiri Slaby <jirislaby.TakeThisOut@gmail.com>
> Cc: Hugh Dickins <hugh.dickins.TakeThisOut@tiscali.co.uk>
> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu.TakeThisOut@jp.fujitsu.com>
> Cc: Rik van Riel <riel.TakeThisOut@redhat.com>

Acked-by: Hugh Dickins <hugh.dickins.TakeThisOut@tiscali.co.uk>

> ---
> mm/swapfile.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/mm/swapfile.c b/mm/swapfile.c
> index 93e71cf..26ef6a2 100644
> --- a/mm/swapfile.c
> +++ b/mm/swapfile.c
> @@ -1313,7 +1313,6 @@ add_swap_extent(struct swap_info_struct *sis, unsigned long start_page,
> if (start_page == 0) {
> se = &sis->first_swap_extent;
> sis->curr_swap_extent = se;
> - INIT_LIST_HEAD(&se->list);
> se->start_page = 0;
> se->nr_pages = nr_pages;
> se->start_block = start_block;
> @@ -1769,6 +1768,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
> kfree(p);
> goto out;
> }
> + INIT_LIST_HEAD(&p->first_swap_extent.list);
> if (type >= nr_swapfiles) {
> p->type = type;
> swap_info[type] = p;
> --
> 1.6.4.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo.TakeThisOut@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Back to top
Login to vote
Hugh Dickins

External


Since: Jun 01, 2009
Posts: 69



(Msg. 3) Posted: Tue Nov 03, 2009 5:20 pm
Post subject: [PATCH mmotm] fix to swap_info-include-first_swap_extent-fix.patch [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Sorry, just noticed what the diff contexts don't show: Jiri's patch
is initializing p->first_swap_extent.list at a point before p has
been decided - we may kfree that newly allocated p and go on to
reuse an existing free entry for p.

Now, the patch is not actually wrong: an existing free entry will have
a good empty first_swap_extent.list; but it looks suspicious, it seems
strange to initialize a field in something we're about to kfree, and
I'd rather we put that initialization back to where it was in 2.6.32.

Signed-off-by: Hugh Dickins <hugh.dickins DeleteThis @tiscali.co.uk>
---

mm/swapfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- mmotm/mm/swapfile.c 2009-11-03 18:05:36.000000000 +0000
+++ linux/mm/swapfile.c 2009-11-03 18:08:26.000000000 +0000
@@ -1768,7 +1768,6 @@ SYSCALL_DEFINE2(swapon, const char __use
kfree(p);
goto out;
}
- INIT_LIST_HEAD(&p->first_swap_extent.list);
if (type >= nr_swapfiles) {
p->type = type;
swap_info[type] = p;
@@ -1787,6 +1786,7 @@ SYSCALL_DEFINE2(swapon, const char __use
* would be relying on p->type to remain valid.
*/
}
+ INIT_LIST_HEAD(&p->first_swap_extent.list);
p->flags = SWP_USED;
p->next = -1;
spin_unlock(&swap_lock);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo DeleteThis @vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Back to top
Login to vote
Display posts from previous:   
Related Topics:
"swapon" function manpage - hello, The manpage of "swapon" function since Linux 2.6.17 has some error. The MAX_SWAPFILES should be 30...

[PATCH][2/2] double stack limit (rfc) - Now, ia64's hard-stack-size (rlimit.max) is sum of register-stack size and memory-stack size. But soft-stack-size..

[PATCH] mm: double mark_page_accessed() in read_cache_page.. - read_cache_page_async() seems to have two invocations of mark_page_accessed() which will launch pages right onto the..

[PATCH][TRIVIAL] arch/i386: double inclusions - double inclusions in arch/i386 Signed-off-by: Nicolas Kaiser <nikai@nikai.net> --- arch/i386/kernel/cpuid.c | ...

[PATCH] Get rid of "double zeroing" of allocated pages - Simplify the few instances where a call to "get_zeroed_page()" is closely followed by an unnecessary call to ...

[PATCH] slab: fix double-free in fallback_alloc - Hi Hugh, Here's an alternative fix for the double-free bug you hit. I have only compile-tested this on NUMA so can yo...
       Soft32 Home -> Linux -> Kernel All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Categories:
 Windows
  Linux
 Mac
 PDA

[ Contact us | Terms of Service/Privacy Policy ]