mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-31 16:38:12 +00:00
32385c7cf6
__d_rehash is dereferencing an almost-NULL pointer on my ARM926. CONFIG_SMP=n and CONFIG_DEBUG_SPINLOCK=y. The faulting instruction is: strne r3, [r2, #4] and as can be seen from the register dump below, r2 is 0x00000001, hence the faulting 0x00000005 address. __d_rehash is essentially: spin_lock_bucket(b); entry->d_flags &= ~DCACHE_UNHASHED; hlist_bl_add_head_rcu(&entry->d_hash, &b->head); spin_unlock_bucket(b); which is: bit_spin_lock(0, (unsigned long *)&b->head.first); entry->d_flags &= ~DCACHE_UNHASHED; hlist_bl_add_head_rcu(&entry->d_hash, &b->head); __bit_spin_unlock(0, (unsigned long *)&b->head.first); bit_spin_lock(0, ptr) sets bit 0 of *ptr, in this case b->head.first if CONFIG_SMP or CONFIG_DEBUG_SPINLOCK is set: #if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK) while (unlikely(test_and_set_bit_lock(bitnum, addr))) { while (test_bit(bitnum, addr)) { preempt_enable(); cpu_relax(); preempt_disable(); } } #endif So, b->head.first starts off NULL, and becomes a non-NULL (address 1). hlist_bl_add_head_rcu() does this: static inline void hlist_bl_add_head_rcu(struct hlist_bl_node *n, struct hlist_bl_head *h) { first = hlist_bl_first(h); n->next = first; if (first) first->pprev = &n->next; It is the store to first->pprev which is faulting. hlist_bl_first(): static inline struct hlist_bl_node *hlist_bl_first(struct hlist_bl_head *h) { return (struct hlist_bl_node *) ((unsigned long)h->first & ~LIST_BL_LOCKMASK); } but: #if defined(CONFIG_SMP) #define LIST_BL_LOCKMASK 1UL #else #define LIST_BL_LOCKMASK 0UL #endif So, we have one piece of code which sets bit 0 of addresses, and another bit of code which doesn't clear it before dereferencing the pointer if !CONFIG_SMP && CONFIG_DEBUG_SPINLOCK. With the patch below, I can again sucessfully boot the kernel on my Versatile PB/926 platform. Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
145 lines
3.8 KiB
C
145 lines
3.8 KiB
C
#ifndef _LINUX_LIST_BL_H
|
|
#define _LINUX_LIST_BL_H
|
|
|
|
#include <linux/list.h>
|
|
|
|
/*
|
|
* Special version of lists, where head of the list has a lock in the lowest
|
|
* bit. This is useful for scalable hash tables without increasing memory
|
|
* footprint overhead.
|
|
*
|
|
* For modification operations, the 0 bit of hlist_bl_head->first
|
|
* pointer must be set.
|
|
*
|
|
* With some small modifications, this can easily be adapted to store several
|
|
* arbitrary bits (not just a single lock bit), if the need arises to store
|
|
* some fast and compact auxiliary data.
|
|
*/
|
|
|
|
#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)
|
|
#define LIST_BL_LOCKMASK 1UL
|
|
#else
|
|
#define LIST_BL_LOCKMASK 0UL
|
|
#endif
|
|
|
|
#ifdef CONFIG_DEBUG_LIST
|
|
#define LIST_BL_BUG_ON(x) BUG_ON(x)
|
|
#else
|
|
#define LIST_BL_BUG_ON(x)
|
|
#endif
|
|
|
|
|
|
struct hlist_bl_head {
|
|
struct hlist_bl_node *first;
|
|
};
|
|
|
|
struct hlist_bl_node {
|
|
struct hlist_bl_node *next, **pprev;
|
|
};
|
|
#define INIT_HLIST_BL_HEAD(ptr) \
|
|
((ptr)->first = NULL)
|
|
|
|
static inline void INIT_HLIST_BL_NODE(struct hlist_bl_node *h)
|
|
{
|
|
h->next = NULL;
|
|
h->pprev = NULL;
|
|
}
|
|
|
|
#define hlist_bl_entry(ptr, type, member) container_of(ptr,type,member)
|
|
|
|
static inline int hlist_bl_unhashed(const struct hlist_bl_node *h)
|
|
{
|
|
return !h->pprev;
|
|
}
|
|
|
|
static inline struct hlist_bl_node *hlist_bl_first(struct hlist_bl_head *h)
|
|
{
|
|
return (struct hlist_bl_node *)
|
|
((unsigned long)h->first & ~LIST_BL_LOCKMASK);
|
|
}
|
|
|
|
static inline void hlist_bl_set_first(struct hlist_bl_head *h,
|
|
struct hlist_bl_node *n)
|
|
{
|
|
LIST_BL_BUG_ON((unsigned long)n & LIST_BL_LOCKMASK);
|
|
LIST_BL_BUG_ON(((unsigned long)h->first & LIST_BL_LOCKMASK) !=
|
|
LIST_BL_LOCKMASK);
|
|
h->first = (struct hlist_bl_node *)((unsigned long)n | LIST_BL_LOCKMASK);
|
|
}
|
|
|
|
static inline int hlist_bl_empty(const struct hlist_bl_head *h)
|
|
{
|
|
return !((unsigned long)h->first & ~LIST_BL_LOCKMASK);
|
|
}
|
|
|
|
static inline void hlist_bl_add_head(struct hlist_bl_node *n,
|
|
struct hlist_bl_head *h)
|
|
{
|
|
struct hlist_bl_node *first = hlist_bl_first(h);
|
|
|
|
n->next = first;
|
|
if (first)
|
|
first->pprev = &n->next;
|
|
n->pprev = &h->first;
|
|
hlist_bl_set_first(h, n);
|
|
}
|
|
|
|
static inline void __hlist_bl_del(struct hlist_bl_node *n)
|
|
{
|
|
struct hlist_bl_node *next = n->next;
|
|
struct hlist_bl_node **pprev = n->pprev;
|
|
|
|
LIST_BL_BUG_ON((unsigned long)n & LIST_BL_LOCKMASK);
|
|
|
|
/* pprev may be `first`, so be careful not to lose the lock bit */
|
|
*pprev = (struct hlist_bl_node *)
|
|
((unsigned long)next |
|
|
((unsigned long)*pprev & LIST_BL_LOCKMASK));
|
|
if (next)
|
|
next->pprev = pprev;
|
|
}
|
|
|
|
static inline void hlist_bl_del(struct hlist_bl_node *n)
|
|
{
|
|
__hlist_bl_del(n);
|
|
n->next = LIST_POISON1;
|
|
n->pprev = LIST_POISON2;
|
|
}
|
|
|
|
static inline void hlist_bl_del_init(struct hlist_bl_node *n)
|
|
{
|
|
if (!hlist_bl_unhashed(n)) {
|
|
__hlist_bl_del(n);
|
|
INIT_HLIST_BL_NODE(n);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* hlist_bl_for_each_entry - iterate over list of given type
|
|
* @tpos: the type * to use as a loop cursor.
|
|
* @pos: the &struct hlist_node to use as a loop cursor.
|
|
* @head: the head for your list.
|
|
* @member: the name of the hlist_node within the struct.
|
|
*
|
|
*/
|
|
#define hlist_bl_for_each_entry(tpos, pos, head, member) \
|
|
for (pos = hlist_bl_first(head); \
|
|
pos && \
|
|
({ tpos = hlist_bl_entry(pos, typeof(*tpos), member); 1;}); \
|
|
pos = pos->next)
|
|
|
|
/**
|
|
* hlist_bl_for_each_entry_safe - iterate over list of given type safe against removal of list entry
|
|
* @tpos: the type * to use as a loop cursor.
|
|
* @pos: the &struct hlist_node to use as a loop cursor.
|
|
* @n: another &struct hlist_node to use as temporary storage
|
|
* @head: the head for your list.
|
|
* @member: the name of the hlist_node within the struct.
|
|
*/
|
|
#define hlist_bl_for_each_entry_safe(tpos, pos, n, head, member) \
|
|
for (pos = hlist_bl_first(head); \
|
|
pos && ({ n = pos->next; 1; }) && \
|
|
({ tpos = hlist_bl_entry(pos, typeof(*tpos), member); 1;}); \
|
|
pos = n)
|
|
|
|
#endif
|