@@ -262,8 +262,8 @@ struct held_lock {
unsigned int read:2; /* see lock_acquire() comment */
unsigned int check:1; /* see lock_acquire() comment */
unsigned int hardirqs_off:1;
- unsigned int references:12; /* 32 bits */
- unsigned int pin_count;
+ unsigned int pin_count:12; /* 32 bits */
+ unsigned int references;
};
/*
@@ -3613,9 +3613,9 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
if (hlock->class_idx == class_idx && nest_lock) {
if (hlock->references) {
/*
- * Check: unsigned int references:12, overflow.
+ * Check: unsigned int references overflow.
*/
- if (DEBUG_LOCKS_WARN_ON(hlock->references == (1 << 12)-1))
+ if (DEBUG_LOCKS_WARN_ON(hlock->references == UINT_MAX))
return 0;
hlock->references++;
@@ -4053,11 +4053,14 @@ static struct pin_cookie __lock_pin_lock(struct lockdep_map *lock)
if (match_held_lock(hlock, lock)) {
/*
- * Grab 16bits of randomness; this is sufficient to not
- * be guessable and still allows some pin nesting in
- * our u32 pin_count.
+ * Grab 6bits of randomness; this is barely sufficient
+ * to not be guessable and still allows some 32 levels
+ * of pin nesting in our u12 pin_count.
*/
- cookie.val = 1 + (prandom_u32() >> 16);
+ cookie.val = 1 + (prandom_u32() >> 26);
+ if (DEBUG_LOCKS_WARN_ON(hlock->pin_count + cookie.val >= 1 << 12))
+ return NIL_COOKIE;
+
hlock->pin_count += cookie.val;
return cookie;
}
As a lockmap takes a reference for every ww_mutex used together, this can be an arbitrarily large number and under control of userspace -- easily overflowing the limit of 4096. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> --- include/linux/lockdep.h | 4 ++-- kernel/locking/lockdep.c | 15 +++++++++------ 2 files changed, 11 insertions(+), 8 deletions(-)