From: Mel Gorman <mel@csn.ul.ie>
To: Andrea Arcangeli <aarcange@redhat.com>
Cc: Christoph Lameter <cl@linux-foundation.org>,
Adam Litke <agl@us.ibm.com>, Avi Kivity <avi@redhat.com>,
David Rientjes <rientjes@google.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Mel Gorman <mel@csn.ul.ie>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: [PATCH 10/12] mm: Check for an empty VMA list in rmap_walk_anon
Date: Fri, 12 Feb 2010 12:00:57 +0000 [thread overview]
Message-ID: <1265976059-7459-11-git-send-email-mel@csn.ul.ie> (raw)
In-Reply-To: <1265976059-7459-1-git-send-email-mel@csn.ul.ie>
There appears to be a race in rmap_walk_anon() that can be triggered by using
page migration under heavy load on pages that do not belong to the process
doing the migration - e.g. during memory compaction. The bug triggered is
a NULL pointer deference in list_for_each_entry().
I believe what is happening is that rmap_walk() is called but the process
exits before the lock gets taken. rmap_walk_anon() by design is not holding
the mmap_sem which would have guaranteed its existance. There is a comment
explaining the locking (or lack thereof) decision but the reasoning is not
very clear.
This patch checks if the VMA list is empty after the lock is taken which
avoids the race. It should be reviewed by people more familiar with
migration to confirm this is a sufficient or if the locking decisions
around rmap_walk() need to be revisited.
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
---
mm/rmap.c | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/mm/rmap.c b/mm/rmap.c
index 278cd27..b468d5f 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -1237,6 +1237,14 @@ static int rmap_walk_anon(struct page *page, int (*rmap_one)(struct page *,
if (!anon_vma)
return ret;
spin_lock(&anon_vma->lock);
+
+ /*
+ * While the anon_vma may still exist, there is no guarantee
+ * the VMAs still do.
+ */
+ if (list_empty(&anon_vma->head))
+ goto out_anon_unlock;
+
list_for_each_entry(vma, &anon_vma->head, anon_vma_node) {
unsigned long address = vma_address(page, vma);
if (address == -EFAULT)
@@ -1245,6 +1253,8 @@ static int rmap_walk_anon(struct page *page, int (*rmap_one)(struct page *,
if (ret != SWAP_AGAIN)
break;
}
+
+out_anon_unlock:
spin_unlock(&anon_vma->lock);
return ret;
}
--
1.6.5
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2010-02-12 12:01 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-12 12:00 [PATCH 0/12] Memory Compaction v2r12 Mel Gorman
2010-02-12 12:00 ` [PATCH 01/12] mm: Document /proc/pagetypeinfo Mel Gorman
2010-02-12 15:54 ` Christoph Lameter
2010-02-16 7:05 ` KOSAKI Motohiro
2010-02-12 12:00 ` [PATCH 02/12] Allow CONFIG_MIGRATION to be set without CONFIG_NUMA or memory hot-remove Mel Gorman
2010-02-16 17:43 ` Rik van Riel
2010-02-12 12:00 ` [PATCH 03/12] Export unusable free space index via /proc/pagetypeinfo Mel Gorman
2010-02-16 7:03 ` KOSAKI Motohiro
2010-02-16 8:36 ` Mel Gorman
2010-02-16 8:41 ` KOSAKI Motohiro
2010-02-16 8:50 ` Mel Gorman
2010-02-16 18:28 ` Rik van Riel
2010-02-18 15:23 ` Minchan Kim
2010-02-18 15:32 ` Mel Gorman
2010-02-12 12:00 ` [PATCH 04/12] Export fragmentation " Mel Gorman
2010-02-16 7:59 ` KOSAKI Motohiro
2010-02-16 8:41 ` Mel Gorman
2010-02-16 8:49 ` KOSAKI Motohiro
2010-02-17 1:44 ` Rik van Riel
2010-02-18 15:37 ` Minchan Kim
2010-02-12 12:00 ` [PATCH 05/12] Memory compaction core Mel Gorman
2010-02-16 8:31 ` KOSAKI Motohiro
2010-02-16 8:48 ` Mel Gorman
2010-02-16 14:55 ` Christoph Lameter
2010-02-16 14:59 ` Mel Gorman
2010-02-18 19:37 ` Christoph Lameter
2010-02-18 21:35 ` Mel Gorman
2010-02-19 0:04 ` KAMEZAWA Hiroyuki
2010-02-17 13:29 ` Mel Gorman
2010-02-17 15:45 ` Rik van Riel
2010-02-18 16:58 ` Minchan Kim
2010-02-18 17:34 ` Mel Gorman
2010-02-19 1:21 ` Minchan Kim
2010-02-19 14:33 ` Mel Gorman
2010-02-12 12:00 ` [PATCH 06/12] Add /proc trigger for memory compaction Mel Gorman
2010-02-12 18:34 ` Valdis.Kletnieks
2010-02-12 18:38 ` Mel Gorman
2010-02-17 16:30 ` Rik van Riel
2010-02-18 19:51 ` Christoph Lameter
2010-02-19 1:56 ` Minchan Kim
2010-02-12 12:00 ` [PATCH 07/12] Add /sys trigger for per-node " Mel Gorman
2010-02-17 16:30 ` Rik van Riel
2010-02-12 12:00 ` [PATCH 08/12] Direct compact when a high-order allocation fails Mel Gorman
2010-02-18 3:57 ` Rik van Riel
2010-02-12 12:00 ` [PATCH 09/12] Do not compact within a preferred zone after a compaction failure Mel Gorman
2010-02-18 4:09 ` Rik van Riel
2010-02-12 12:00 ` Mel Gorman [this message]
2010-02-17 18:22 ` [PATCH 10/12] mm: Check for an empty VMA list in rmap_walk_anon Mel Gorman
2010-02-12 12:00 ` [PATCH 11/12] mm: Take the RCU read lock " Mel Gorman
2010-02-12 12:00 ` [PATCH 12/12] mm: Check the anon_vma is still valid in rmap_walk_anon() Mel Gorman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1265976059-7459-11-git-send-email-mel@csn.ul.ie \
--to=mel@csn.ul.ie \
--cc=aarcange@redhat.com \
--cc=agl@us.ibm.com \
--cc=avi@redhat.com \
--cc=cl@linux-foundation.org \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox