Hugh Dickins 353d5c30c6 mm: fix hugetlb bug due to user_shm_unlock call
2.6.30's commit 8a0bdec194c21c8fdef840989d0d7b742bb5d4bc removed
user_shm_lock() calls in hugetlb_file_setup() but left the
user_shm_unlock call in shm_destroy().

In detail:
Assume that can_do_hugetlb_shm() returns true and hence user_shm_lock()
is not called in hugetlb_file_setup(). However, user_shm_unlock() is
called in any case in shm_destroy() and in the following
atomic_dec_and_lock(&up->__count) in free_uid() is executed and if
up->__count gets zero, also cleanup_user_struct() is scheduled.

Note that sched_destroy_user() is empty if CONFIG_USER_SCHED is not set.
However, the ref counter up->__count gets unexpectedly non-positive and
the corresponding structs are freed even though there are live
references to them, resulting in a kernel oops after a lots of
shmget(SHM_HUGETLB)/shmctl(IPC_RMID) cycles and CONFIG_USER_SCHED set.

Hugh changed Stefan's suggested patch: can_do_hugetlb_shm() at the
time of shm_destroy() may give a different answer from at the time
of hugetlb_file_setup().  And fixed newseg()'s no_id error path,
which has missed user_shm_unlock() ever since it came in 2.6.9.

Reported-by: Stefan Huber <shuber2@gmail.com>
Signed-off-by: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Tested-by: Stefan Huber <shuber2@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-08-24 12:53:01 -07:00
..
2009-07-12 12:22:34 -07:00
2009-06-11 21:36:14 -04:00
2009-07-12 12:24:07 -07:00
2009-06-11 21:36:01 -04:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-08-21 10:09:44 +02:00
2009-06-24 08:15:24 -04:00
2009-07-14 12:28:43 -05:00
2009-06-17 00:36:36 -04:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-07-10 19:18:59 -07:00
2009-07-12 12:22:34 -07:00
2009-06-15 21:44:43 -07:00
2009-08-12 08:21:39 -07:00
2009-07-12 12:22:34 -07:00
2009-06-15 21:44:43 -07:00
2009-06-11 21:36:13 -04:00
2009-08-18 16:31:13 -07:00
2009-06-11 21:36:12 -04:00
2009-07-30 17:31:23 +02:00
2009-07-12 12:22:34 -07:00
2009-06-11 21:36:07 -04:00
2009-07-12 12:22:34 -07:00
2009-06-17 00:36:37 -04:00
2009-07-12 12:22:34 -07:00
2009-06-18 13:03:46 -07:00
2009-06-30 18:55:58 -07:00
2008-12-31 18:07:43 -05:00
2009-01-03 11:45:54 -08:00
2009-07-01 11:14:28 -07:00
2009-07-12 12:22:34 -07:00
2009-07-12 12:22:34 -07:00
2009-06-11 21:36:06 -04:00
2009-06-18 13:03:41 -07:00
2009-08-24 14:58:23 +10:00
2009-07-12 12:22:34 -07:00
2009-03-31 23:00:26 -04:00
2009-08-07 14:38:29 -03:00
2009-06-11 21:36:07 -04:00
2009-07-14 12:34:17 +09:00
2009-04-07 08:31:16 -07:00
2009-04-20 23:02:52 -04:00
2009-02-18 15:37:53 -08:00
2009-06-11 21:36:02 -04:00