shm: fix shmctl(SHM_INFO) lockup with !CONFIG_SHMEM
Tony Battersby [Wed, 4 Feb 2009 23:12:04 +0000 (15:12 -0800)]
shm_get_stat() assumes that the inode is a "struct shmem_inode_info",
which is incorrect for !CONFIG_SHMEM (see fs/ramfs/inode.c:
ramfs_get_inode() vs.  mm/shmem.c: shmem_get_inode()).

This bad assumption can cause shmctl(SHM_INFO) to lockup when
shm_get_stat() tries to spin_lock(&info->lock).  Users of !CONFIG_SHMEM
may encounter this lockup simply by invoking the 'ipcs' command.

Reported by Jiri Olsa back in February 2008:
http://lkml.org/lkml/2008/2/29/74

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Reported-by: Jiri Olsa <olsajiri@gmail.com>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: <stable@kernel.org> [2.6.everything]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

ipc/shm.c

index c0a021f..f8f69fa 100644 (file)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -565,11 +565,15 @@ static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss,
                        struct hstate *h = hstate_file(shp->shm_file);
                        *rss += pages_per_huge_page(h) * mapping->nrpages;
                } else {
+#ifdef CONFIG_SHMEM
                        struct shmem_inode_info *info = SHMEM_I(inode);
                        spin_lock(&info->lock);
                        *rss += inode->i_mapping->nrpages;
                        *swp += info->swapped;
                        spin_unlock(&info->lock);
+#else
+                       *rss += inode->i_mapping->nrpages;
+#endif
                }
 
                total++;