diff options
| author | Andrea Arcangeli <[email protected]> | 2017-07-06 15:36:59 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2017-07-06 16:24:31 -0700 |
| commit | b4fecc67cc569b14301f5a1111363d5818b8da5e (patch) | |
| tree | 459b8703df7c99ead2ac7930b0efd3e8e72891e4 /tools/perf/scripts/python/event_analyzing_sample.py | |
| parent | 2c653d0ee2ae78ff3a174cc877a057c8afac7069 (diff) | |
ksm: fix use after free with merge_across_nodes = 0
If merge_across_nodes was manually set to 0 (not the default value) by
the admin or a tuned profile on NUMA systems triggering cross-NODE page
migrations, a stable_node use after free could materialize.
If the chain is collapsed stable_node would point to the old chain that
was already freed. stable_node_dup would be the stable_node dup now
converted to a regular stable_node and indexed in the rbtree in
replacement of the freed stable_node chain (not anymore a dup).
This special case where the chain is collapsed in the NUMA replacement
path, is now detected by setting stable_node to NULL by the chain_prune
callee if it decides to collapse the chain. This tells the NUMA
replacement code that even if stable_node and stable_node_dup are
different, this is not a chain if stable_node is NULL, as the
stable_node_dup was converted to a regular stable_node and the chain was
collapsed.
It is generally safer for the callee to force the caller stable_node to
NULL the moment it become stale so any other mistake like this would
result in an instant Oops easier to debug than an use after free.
Otherwise the replace logic would act like if stable_node was a valid
chain, when in fact it was freed. Notably
stable_node_chain_add_dup(page_node, stable_node) would run on a stable
stable_node.
Andrey Ryabinin found the source of the use after free in chain_prune().
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Andrea Arcangeli <[email protected]>
Reported-by: Andrey Ryabinin <[email protected]>
Reported-by: Evgheni Dereveanchin <[email protected]>
Tested-by: Andrey Ryabinin <[email protected]>
Cc: Petr Holasek <[email protected]>
Cc: Hugh Dickins <[email protected]>
Cc: Davidlohr Bueso <[email protected]>
Cc: Arjan van de Ven <[email protected]>
Cc: Gavin Guo <[email protected]>
Cc: Jay Vosburgh <[email protected]>
Cc: Mel Gorman <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/event_analyzing_sample.py')
0 files changed, 0 insertions, 0 deletions