x86, bts: fix wrmsr and spinlock over kmalloc

Impact: fix sleeping-with-spinlock-held bugs/crashes - Turn a wrmsr to write the DS_AREA MSR into a wrmsrl. - Use irqsave variants of spinlocks. - Do not allocate memory while holding spinlocks. Reported-by: Stephane Eranian <eranian@googlemail.com> Reported-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Markus Metzger <markus.t.metzger@intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>

x86, bts: fix wrmsr and spinlock over kmalloc
Impact: fix sleeping-with-spinlock-held bugs/crashes - Turn a wrmsr to write the DS_AREA MSR into a wrmsrl. - Use irqsave variants of spinlocks. - Do not allocate memory while holding spinlocks. Reported-by: Stephane Eranian <eranian@googlemail.com> Reported-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Markus Metzger <markus.t.metzger@intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
de90add3 · Markus Metzger · Ingo Molnar · c4858ffc · de90add3
Commit de90add3 authored Nov 25, 2008 by Markus Metzger Committed by Ingo Molnar Nov 25, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 37 deletions

arch/x86/kernel/ds.c arch/x86/kernel/ds.c +40 -37

No files found.
--- a/arch/x86/kernel/ds.c
+++ b/arch/x86/kernel/ds.c
@@ -209,14 +209,15 @@ static DEFINE_PER_CPU(struct ds_context *, system_context);
 static inline struct ds_context *ds_get_context(struct task_struct *task)
 {
 	struct ds_context *context;
+	unsigned long irq;
-	spin_lock(&ds_lock);
+	spin_lock_irqsave(&ds_lock, irq);
 	context = (task ? task->thread.ds_ctx : this_system_context);
 	if (context)
 		context->count++;
-	spin_unlock(&ds_lock);
+	spin_unlock_irqrestore(&ds_lock, irq);
 	return context;
 }
@@ -224,55 +225,46 @@ static inline struct ds_context *ds_get_context(struct task_struct *task)
 /*
 * Same as ds_get_context, but allocates the context and it's DS
 * structure, if necessary; returns NULL; if out of memory.
- *
- * pre: requires ds_lock to be held
 */
 static inline struct ds_context *ds_alloc_context(struct task_struct *task)
 {
 	struct ds_context **p_context =
 		(task ? &task->thread.ds_ctx : &this_system_context);
 	struct ds_context *context = *p_context;
+	unsigned long irq;
 	if (!context) {
-		spin_unlock(&ds_lock);
 		context = kzalloc(sizeof(*context), GFP_KERNEL);
+		if (!context)
-		if (!context) {
-			spin_lock(&ds_lock);
 			return NULL;
-		}
 		context->ds = kzalloc(ds_cfg.sizeof_ds, GFP_KERNEL);
 		if (!context->ds) {
 			kfree(context);
-			spin_lock(&ds_lock);
 			return NULL;
 		}
-		spin_lock(&ds_lock);
+		spin_lock_irqsave(&ds_lock, irq);
-		/*
-		 * Check for race - another CPU could have allocated
-		 * it meanwhile:
-		 */
 		if (*p_context) {
 			kfree(context->ds);
 			kfree(context);
-			return *p_context;
-		}
-		*p_context = context;
-		context->this = p_context;
+			context = *p_context;
-		context->task = task;
+		} else {
+			*p_context = context;
-		if (task)
+			context->this = p_context;
-			set_tsk_thread_flag(task, TIF_DS_AREA_MSR);
+			context->task = task;
-		if (!task || (task == current))
+			if (task)
-			wrmsr(MSR_IA32_DS_AREA, (unsigned long)context->ds, 0);
+				set_tsk_thread_flag(task, TIF_DS_AREA_MSR);
-		get_tracer(task);
+			if (!task || (task == current))
+				wrmsrl(MSR_IA32_DS_AREA,
+				       (unsigned long)context->ds);
+		}
+		spin_unlock_irqrestore(&ds_lock, irq);
 	}
 	context->count++;
@@ -286,10 +278,12 @@ static inline struct ds_context *ds_alloc_context(struct task_struct *task)
 */
 static inline void ds_put_context(struct ds_context *context)
 {
+	unsigned long irq;
 	if (!context)
 		return;
-	spin_lock(&ds_lock);
+	spin_lock_irqsave(&ds_lock, irq);
 	if (--context->count)
 		goto out;
@@ -311,7 +305,7 @@ static inline void ds_put_context(struct ds_context *context)
 	kfree(context->ds);
 	kfree(context);
 out:
-	spin_unlock(&ds_lock);
+	spin_unlock_irqrestore(&ds_lock, irq);
 }
@@ -382,6 +376,7 @@ static int ds_request(struct task_struct *task, void *base, size_t size,
 	struct ds_context *context;
 	unsigned long buffer, adj;
 	const unsigned long alignment = (1 << 3);
+	unsigned long irq;
 	int error = 0;
 	if (!ds_cfg.sizeof_ds)
@@ -396,26 +391,27 @@ static int ds_request(struct task_struct *task, void *base, size_t size,
 		return -EOPNOTSUPP;
-	spin_lock(&ds_lock);
-	error = -ENOMEM;
 	context = ds_alloc_context(task);
 	if (!context)
-		goto out_unlock;
+		return -ENOMEM;
+	spin_lock_irqsave(&ds_lock, irq);
 	error = -EPERM;
 	if (!check_tracer(task))
 		goto out_unlock;
+	get_tracer(task);
 	error = -EALREADY;
 	if (context->owner[qual] == current)
-		goto out_unlock;
+		goto out_put_tracer;
 	error = -EPERM;
 	if (context->owner[qual] != NULL)
-		goto out_unlock;
+		goto out_put_tracer;
 	context->owner[qual] = current;
-	spin_unlock(&ds_lock);
+	spin_unlock_irqrestore(&ds_lock, irq);
 	error = -ENOMEM;
@@ -463,10 +459,17 @@ static int ds_request(struct task_struct *task, void *base, size_t size,
 out_release:
 	context->owner[qual] = NULL;
 	ds_put_context(context);
+	put_tracer(task);
+	return error;
+ out_put_tracer:
+	spin_unlock_irqrestore(&ds_lock, irq);
+	ds_put_context(context);
+	put_tracer(task);
 	return error;
 out_unlock:
-	spin_unlock(&ds_lock);
+	spin_unlock_irqrestore(&ds_lock, irq);
 	ds_put_context(context);
 	return error;
 }