[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20100409172432.84a74cc3.kamezawa.hiroyu@jp.fujitsu.com>
Date: Fri, 9 Apr 2010 17:24:32 +0900
From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>
To: KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
Nick Piggin <npiggin@...e.de>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Andrea Arcangeli <aarcange@...hat.com>,
Avi Kivity <avi@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Rik van Riel <riel@...hat.com>, Ingo Molnar <mingo@...e.hu>,
akpm@...ux-foundation.org,
Linus Torvalds <torvalds@...ux-foundation.org>,
linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
David Miller <davem@...emloft.net>,
Hugh Dickins <hugh.dickins@...cali.co.uk>,
Mel Gorman <mel@....ul.ie>
Subject: Re: [PATCH 02/13] mm: Revalidate anon_vma in page_lock_anon_vma()
On Fri, 9 Apr 2010 17:03:49 +0900
KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com> wrote:
> On Fri, 9 Apr 2010 16:57:03 +0900
> KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com> wrote:
>
> > On Fri, 9 Apr 2010 16:29:59 +0900 (JST)
> > KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com> wrote:
>
> > > > Hmm, I think following.
> > > >
> > > > Assume a page is ANON and SwapCache, and it has only one reference.
> > > > Consider it's read-only mapped and cause do_wp_page().
> > > > page_mapcount(page) == 1 here.
> > > >
> > > > CPU0 CPU1
> > > >
> > > > 1. do_wp_page()
> > > > 2. .....
> > > > 3. replace anon_vma. anon_vma = lock_page_anon_vma()
> > > >
> > > > So, lock_page_anon_vma() may have lock on wrong anon_vma, here.(mapcount=1)
> > > >
> > > > 4. modify pte to writable. do something...
> > > >
> > > > After lock, in CPU1, a pte of estimated address by vma_address(vma, page)
> > > > containes pfn of the page and page_check_address() will success.
> > > >
> > > > I'm not sure how this is dangerouns.
> > > > But it's possible that CPU1 cannot notice there was anon_vma replacement.
> > > > And modifies pte withoug holding anon vma's lock which the code believes
> > > > it's holded.
> > >
> > >
> > > Hehe, page_referenced() already can take unstable VM_LOCKED value. So,
> > > In worst case we make false positive pageout, but it's not disaster.
> > > I think. Anyway "use after free" don't happen by this blutal code.
> > >
> > > However, I think you pointed one good thing. before Rik patch, we don't have
> > > page->mapping reassignment. then, we didn't need rcu_dereference().
> > > but now it can happen. so, I think rcu_dereference() is better.
> > >
> > > Perhaps, I'm missing something.
> > >
> >
> > Hmm. I wonder we can check "whether we lock valid anon_vma or not" only under
> > pte_lock or lock_page().
> > ==
> > anon_vma = page_anon_vma();
> > lock(anon_vma->lock);
> > ....
> > page_check_address(page)
> > ....
> > pte_lock();
> > if (page_anon_vma(page) == anon_vma)
> > # anon_vma replacement happens!
> > unlock(anon_vma->lock);
> > ==
> > So, rather than page_lock_anon_vma(), page_check_address() may have to check anon_vma
> > replacement....But I cannot think of dangerous case which can cause panic for now.
> > I may miss something...
> >
> Ah...anon_vma replacemet occurs under lock_page() and pte_lock.
> Almost all callers of page_lock_anon_vma() holds lock_page(). So, I think
> this anon_vma replacement is not very serious.
Sorry for short mails ;(
Note:vmscan.c::shrink_active_list()
-> page_referenced()
doesn't take lock_page() and may see wrong anon_vma by replacement.
Don't we need lock_page() around ?
Thanks,
-Kame
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists