Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754336AbbGXUx6 (ORCPT <rfc822;w@1wt.eu>);
	Fri, 24 Jul 2015 16:53:58 -0400
Received: from mail-db3on0062.outbound.protection.outlook.com ([157.55.234.62]:15394
	"EHLO emea01-db3-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1754570AbbGXUxz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 24 Jul 2015 16:53:55 -0400
Authentication-Results: spf=fail (sender IP is 12.216.194.146)
 smtp.mailfrom=ezchip.com; ezchip.com; dkim=none (message not signed)
 header.d=none;
From: Chris Metcalf <cmetcalf@ezchip.com>
To: Andrew Morton <akpm@linux-foundation.org>,
        Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>,
        Pekka Enberg <penberg@kernel.org>,
        "Paul McQuade" <paulmcquad@gmail.com>,
        Tang Chen <tangchen@cn.fujitsu.com>, "Mel Gorman" <mgorman@suse.de>,
        <linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>
CC: Chris Metcalf <cmetcalf@ezchip.com>
Subject: [PATCH] bootmem: avoid freeing to bootmem after bootmem is done
Date: Fri, 24 Jul 2015 16:53:46 -0400
Message-ID: <1437771226-31255-1-git-send-email-cmetcalf@ezchip.com>
X-Mailer: git-send-email 2.1.2
X-EOPAttributedMessage: 0
X-Microsoft-Exchange-Diagnostics: 1;DB3FFO11FD019;1:X8naqiTZ9akYj4pcmZcxyzu0BrC66F1aJxDHGNzulHupewiNj1rbal5x8D042qgF7YEWhBt+XrORML+ggJvpoBgpALiuq97RZgeRPeoP4NugfKNi/EeIK2jFnP1xFKHOSrhegnkOOt4hYrGl4pcB7DDMN0iOu3A5pH8EQ13+BJSjvVImTL7nSX+D3xkJw1Q0ffHKS7fLT28bsE1YTJBdTSKIXef4RCtfHNNn5ohO2q3AOHocBrEql7gCrEIGWdDyzRhKqEcG/kOL4MgPd2WlOQRkxYmgPEdpUZYksw7UMbJ2oWh2vR/Fd1VykHEgR7MLx8OFsB9m7QIFFZEhlPUr+Q==
X-Forefront-Antispam-Report: CIP:12.216.194.146;CTRY:US;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(10009020)(6009001)(2980300002)(339900001)(199003)(189002)(105606002)(104016003)(46102003)(62966003)(50986999)(19580405001)(42186005)(106466001)(19580395003)(50226001)(77156002)(6806004)(5001770100001)(229853001)(189998001)(86362001)(107886002)(2201001)(36756003)(33646002)(48376002)(5001960100002)(85426001)(87936001)(92566002)(47776003)(5003940100001)(4001430100001)(2101003);DIR:OUT;SFP:1101;SCL:1;SRVR:DB5PR02MB0775;H:ld-1.internal.tilera.com;FPR:;SPF:Fail;MLV:sfv;A:1;MX:1;LANG:en;
MIME-Version: 1.0
Content-Type: text/plain
X-Microsoft-Exchange-Diagnostics: 1;DB5PR02MB0775;2:zNLqjiRxq6zkAZzxAZqFL0lMDuaqHS8SaCtkhL/X7uIP0ZdKzHvtyuPX2n8h9URW;3:Jx4JpH0v26kdT/7YZDZKN6MEMnINXQzbjEk2hqM4tmakQoQdRz1bQsI4iebM4wP1y4OhSa2yrD/+PkUt3W+M4M7jQF8xf2NZAHiZ+JNMqBwcQNFLAOdDCgxtgQAMvfT10Oq9iFRTprJJv5axCe7ACO7xdUQJDI+NcUSPimbqwv0JkM+DZvBzhXxmeKut/EVAW06o/bRSs/m9UI4VybA4PqV7owMQuIs4mI0WWqLrPWiOhtnuvo5B+9+iEkixGiIv;25:kXxIx45zvg5xPDRfPBqJx9XNuOHRHU1z2vr7Mj5x2ns+yMmB5XRHagssiQKWI00wnFvZzSeRni//90Shn4aEOcpall7LHnrXf5xb/+lkNcGLOF2K4Lqx54YpH6HsSamYHuky3NFBUKzfr0lzw0EmBvQTcSj0daAsMU5Lx2eJgw4nPB1afHwJPibXVLu157dDfuWFwjRSJDWmN1Y8H5KL27moZakV68Tk/BdpCFUTHXxLJkxsQFE6HTsun9o2xA7+O4YyLOqH4JR1WTrrY+Tx9A==;20:7X1Z+Y98MMcJWb9lg5BG+Jt2pRFqLPAWUblrJLoKqe/5crptYn7SixMv5ciL9t56GNaimfvQG6b4nGWw5e8k1kYUjbUtfsAoK1CK50lhIpakxNoka9KvvdSD+mKM2Geay69i1W5xtRvRwWzpvMSK9j1d77jjX+WJdW1uxTp/rYI=
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR02MB0775;
DB5PR02MB0775: X-MS-Exchange-Organization-RulesExecuted
X-Microsoft-Antispam-PRVS: <DB5PR02MB077516FEF43EE160842F5155AF810@DB5PR02MB0775.eurprd02.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:DB5PR02MB0775;BCL:0;PCL:0;RULEID:;SRVR:DB5PR02MB0775;
X-Microsoft-Exchange-Diagnostics: 1;DB5PR02MB0775;4:Lp/YD+kOJpsW027fj8390Q7yLKO+mcL7K1LD5jt1qbkYVS/No9qDvGgqzddem5D20hkRzQFDVuFCcL1iF0jg03Vz7+1WVF8Pcesw/Ytjr9i6J1539bSbDl/Z7+/3ob5I8Nh2D5c9IcYYz0ckgf94xjcw7/+eKT5aCqpQ7WMHYTooyTaSPjkqlVWojU/VKYG37hUGqKNsfo6C94L/xhG41IL0E10taTkq0QFHUfCg0SBfLARZ7qL/oirR8nmvPjuoP/36gw7iBc7joR96j0B9k7zt1RVKf6lILXVCH7XajcU=
X-Forefront-PRVS: 0647963F84
X-Microsoft-Exchange-Diagnostics: 1;DB5PR02MB0775;23:UeRXej6zVB7JhEsxbG/QdcSZr4//yw/YkEM0DGH1xAXtqYmVSZfK6xmxk2Qrq5FwUNcZdrdEuwN3h+h7ExEdXR8podcfdniSzqsPD0251z2RFvOjGpMLOemAgI8+Qy4XT6Z0bKObYa4zbREIMrg/kTmLQHqWhcyYyS/WcNdMVnQWttEddG2dfMc91l1uk29xaKUWPm6bjTqCbtbyCwVLUVKLTFlZO5FtsJLoHuP5esyiohYt/anGIHPTEvU5wZIqbPBnMefJCNpS1WReGLw7vNeL4uLMd4AcmpBOuQKy5pR1O7WjP4XLrsoaK17fuQfWpOT4RyeSF9OR2EHim1wp6GBvJTFso8LToWVkYaAPXPCp82+MK2gHzTeEklLcKB6Bq+awQ+0Lc9HfdEtJldr5hqKy8wX2cQl6p89KPomRFzva6ZDwv9rChkO4exHF6tVoCjaH05q7y+J1Uytbb6nPx1Uo+Mgua5sfMxIdxTq3WNKI+XkD8/FQsrQ6YGqwvENeDsHUuYLAIbIGNMFIyZ2HP/y0sBqVbUo8arehHVjF5hpGQxMXYn8rwa+ZFIXyvqReK5jo/KSIS0cEcHeBnRuQcKaAU5boGN72MjL9Hsml0QRXvtDDcQ9lA1D98fl6O1WfMd6zLz9ZJ/CLoDt9KLiJTRtnapg4Tz/0k7KPF5uTVDoWFxZhYp/rWOkPXhRyriRM+l9RXoY+hSyBvhUDP3avOsSnkfKarA/vuipOLotYj4JJ4oavNIpodxlq1b76S2w5Gh6xAdLStq8LetCBQWE/Sqe2T/SQmRWPXA1T1DMTRPjYTESHAtRyp6SHc5Q6lpYNowYW29ZwnmAPmdOfe+q/ooOqUPumt28+BVIKu/Fzp6FX1u8RVw8zYMt9SrVok77/6j1KW8kAFw+zezJobYyz3Uv1In6xYcyyr+oU0eLhO4U=
X-Microsoft-Exchange-Diagnostics: 1;DB5PR02MB0775;5:84P4sWYyXH6dNrKG5JbAzEMUtTW053aoUZBMS83NgFP6WsW8AAy/9zquQMVgJP57zGdkU2Q7v95W4dw9uqs4lv8rWFiM+RY8B0AVbxd4mS3L5WprjS2DYilhR4QmeIwjN/HMu1whClTxH9kL2tqRRA==;24:/WinAxAbpUNSLPRyQLY7gIgAcCvQrlmAUGx4SH+BlbF8Tn5g4PZ5F6fEmLasdfBtwfJjAQgXHI2JihNMh2l9C45KygiRN0GF7bJQgxUlsmg=;20:0vG7xo5pHK/1vt+MPsq2WbTx1IOitcgxPU5Lk97Y+cbv0K8wWvmOeBni4CieLlwG1xBOtzwsZMmbhcje7CnHig==
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: ezchip.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jul 2015 20:53:51.7764
 (UTC)
X-MS-Exchange-CrossTenant-Id: 0fc16e0a-3cd3-4092-8b2f-0a42cff122c3
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=0fc16e0a-3cd3-4092-8b2f-0a42cff122c3;Ip=[12.216.194.146];Helo=[ld-1.internal.tilera.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR02MB0775
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1771
Lines: 53

Bootmem isn't popular any more, but some architectures still use
it, and freeing to bootmem after calling free_all_bootmem_core()
can end up scribbling over random memory.  Instead, make sure the
kernel panics by ensuring the node_bootmem_map field is non-NULL
when are freeing or marking bootmem.

An instance of this bug was just fixed in the tile architecture
("tile: use free_bootmem_late() for initrd") and catching this case
more widely seems like a good thing.

Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
---
 mm/bootmem.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mm/bootmem.c b/mm/bootmem.c
index a23dd1934654..178748259736 100644
--- a/mm/bootmem.c
+++ b/mm/bootmem.c
@@ -236,6 +236,7 @@ static unsigned long __init free_all_bootmem_core(bootmem_data_t *bdata)
 	count += pages;
 	while (pages--)
 		__free_pages_bootmem(page++, cur++, 0);
+	bdata->node_bootmem_map = NULL;
 
 	bdebug("nid=%td released=%lx\n", bdata - bootmem_node_data, count);
 
@@ -294,6 +295,8 @@ static void __init __free(bootmem_data_t *bdata,
 		sidx + bdata->node_min_pfn,
 		eidx + bdata->node_min_pfn);
 
+	BUG_ON(bdata->node_bootmem_map == NULL);
+
 	if (bdata->hint_idx > sidx)
 		bdata->hint_idx = sidx;
 
@@ -314,6 +317,8 @@ static int __init __reserve(bootmem_data_t *bdata, unsigned long sidx,
 		eidx + bdata->node_min_pfn,
 		flags);
 
+	BUG_ON(bdata->node_bootmem_map == NULL);
+
 	for (idx = sidx; idx < eidx; idx++)
 		if (test_and_set_bit(idx, bdata->node_bootmem_map)) {
 			if (exclusive) {
-- 
2.1.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/