From 1b23336ad98b3666c216617227c7767cd60a22be Mon Sep 17 00:00:00 2001 From: "Paul E. McKenney" Date: Tue, 10 Mar 2009 12:55:52 -0700 Subject: idr: make idr_remove_all() do removal -before- free_layer() Fix a problem in the IDR system, where an idr_remove_all() hands a data element to call_rcu() (via free_layer()) before making that data element inaccessible to new readers. This is very bad, and results in readers still having a reference to this data element at the end of the grace period. Tests on large machines that concurrently map and unmap user-space memory within the same multithreaded process result in crashes within about five minutes. Applying this patch increases the kernel's longevity to the three-to-eight-hour range. There appear to be other similar problems in idr_get_empty_slot() and sub_remove(), but I fixed the easy one in idr_remove_all() first. It is therefore no surprise that failures still occur. Located-by: Milton Miller II Tested-by: Milton Miller II Signed-off-by: Paul E. McKenney Cc: Manfred Spraul Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- lib/idr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/idr.c b/lib/idr.c index c11c5765cdef..dab4bca86f5d 100644 --- a/lib/idr.c +++ b/lib/idr.c @@ -449,6 +449,7 @@ void idr_remove_all(struct idr *idp) n = idp->layers * IDR_BITS; p = idp->top; + rcu_assign_pointer(idp->top, NULL); max = 1 << n; id = 0; @@ -467,7 +468,6 @@ void idr_remove_all(struct idr *idp) p = *--paa; } } - rcu_assign_pointer(idp->top, NULL); idp->layers = 0; } EXPORT_SYMBOL(idr_remove_all); -- cgit From aa8e4fc68d8024cd3132035d13c3cefa7baeac8f Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Thu, 12 Mar 2009 19:32:51 -0700 Subject: bitmap: fix end condition in bitmap_find_free_region Guennadi Liakhovetski noticed that the end condition for the loop in bitmap_find_free_region() is wrong, and the "return if error" was also using the wrong conditional that would only trigger if the bitmap was an exact multiple of the allocation size, which is not necessarily the case with dma_alloc_from_coherent(). Such a failure would end up in bitmap_find_free_region() accessing beyond the end of the bitmap. Reported-by: Guennadi Liakhovetski Cc: Andrew Morton Signed-off-by: Linus Torvalds --- lib/bitmap.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/bitmap.c b/lib/bitmap.c index 1338469ac849..35a1f7ff4149 100644 --- a/lib/bitmap.c +++ b/lib/bitmap.c @@ -948,15 +948,15 @@ done: */ int bitmap_find_free_region(unsigned long *bitmap, int bits, int order) { - int pos; /* scans bitmap by regions of size order */ + int pos, end; /* scans bitmap by regions of size order */ - for (pos = 0; pos < bits; pos += (1 << order)) - if (__reg_op(bitmap, pos, order, REG_OP_ISFREE)) - break; - if (pos == bits) - return -ENOMEM; - __reg_op(bitmap, pos, order, REG_OP_ALLOC); - return pos; + for (pos = 0 ; (end = pos + (1 << order)) <= bits; pos = end) { + if (!__reg_op(bitmap, pos, order, REG_OP_ISFREE)) + continue; + __reg_op(bitmap, pos, order, REG_OP_ALLOC); + return pos; + } + return -ENOMEM; } EXPORT_SYMBOL(bitmap_find_free_region); -- cgit