diff options
| author | Kirill A. Shutemov <[email protected]> | 2015-02-11 15:25:35 -0800 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2015-02-11 17:06:01 -0800 |
| commit | 4ecf886045152d2ddf98ae74e39f789868ac1f98 (patch) | |
| tree | 6cde1110b8bad8824ffc882640e89a1c4af3d68c /include/linux/debugobjects.h | |
| parent | 9fbc1f635fd0bd28cb32550211bf095753ac637a (diff) | |
sparc32: fix broken set_pte()
32-bit sparc uses swap instruction to implement set_pte(). It called
using GCC inline assembler. But it misses the "memory" clobber to
indicate that pte value will be updated in memory.
As result GCC doesn't know that it cannot postpone pte pointer dereference
which occurs before set_pte() to post-set_pte() time.
It leads to real-world bugs -- [1]. In this situation we have code:
ptent = ptep_modify_prot_start(mm, addr, pte);
ptent = pte_modify(ptent, newprot);
...
ptep_modify_prot_commit(mm, addr, pte, ptent);
ptep_modify_prot_start() in sparc case is just 'pte' dereference plus
pte_clear(). pte_clear() calls broken set_pte(). GCC thinks it's valid
to dereference 'pte' again on pte_modify() and gets cleared pte.
ptep_modify_prot_commit() puts 'pteent' with pfn==0 back to page table,
which eventually leads to the crash.
[1] http://lkml.kernel.org/r/[email protected]
Signed-off-by: Kirill A. Shutemov <[email protected]>
Reported-by: Guenter Roeck <[email protected]>
Tested-by: Guenter Roeck <[email protected]>
Cc: Paul Moore <[email protected]>
Cc: Joonsoo Kim <[email protected]>
Cc: David Miller <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'include/linux/debugobjects.h')
0 files changed, 0 insertions, 0 deletions