From 993d1d94fd85e3fa67e9730fab1d71668aba25cc Mon Sep 17 00:00:00 2001 From: Rob Gardner Date: Mon, 10 Apr 2017 13:24:48 -0600 Subject: [PATCH] sparc64: Ignored DAX ref count causes lockup Orabug: 25870705 The dax_mm structure has a reference count that respresents the number of dax_vma structures that point to it. The reference count is duly incremented and decremented each time memory is allocated via the dax_alloc/mmap path. However, the reference count is never used for its intended purpose, which is to prevent the dax_mm structure from being freed while there are references to it. The result of this is that if dax_free is called after the process's dax_mm is cleaned up, the dax_vma will have a reference to the freed object, leading to panics due to null pointers and/or lockups due to inalid spinlock state. Code changed to actually check the reference count before freeing a dax_mm. Signed-off-by: Rob Gardner Reviewed-by: Sanath Kumar Signed-off-by: Allen Pais --- arch/sparc/dax/dax_mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/sparc/dax/dax_mm.c b/arch/sparc/dax/dax_mm.c index 181cf57c64e0..7d7fa073bb2e 100644 --- a/arch/sparc/dax/dax_mm.c +++ b/arch/sparc/dax/dax_mm.c @@ -568,7 +568,7 @@ void dax_vm_close(struct vm_area_struct *vma) int dax_clean_dm(struct dax_mm *dm) { /* if ctx list is empty, clean up this struct dax_mm */ - if (list_empty(&dm->ctx_list)) { + if (list_empty(&dm->ctx_list) && (dm->vma_count == 0)) { spin_lock(&dm_list_lock); list_del(&dm->mm_list); dax_list_dbg("freeing dm with vma_count=%d, ctx_count=%d", -- 2.50.1