From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <20020827092219.27495.qmail@thales.mathematik.uni-ulm.de> From: "Christian Ehrhardt" Date: Tue, 27 Aug 2002 11:22:19 +0200 Subject: Re: MM patches against 2.5.31 References: <3D644C70.6D100EA5@zip.com.au> <20020826152950.9929.qmail@thales.mathematik.uni-ulm.de> <3D6A8082.3775C5AB@zip.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D6A8082.3775C5AB@zip.com.au> Sender: owner-linux-mm@kvack.org Return-Path: To: Andrew Morton Cc: Daniel Phillips , lkml , "linux-mm@kvack.org" List-ID: On Mon, Aug 26, 2002 at 12:24:50PM -0700, Andrew Morton wrote: > The flaw is in doing the put_page_testzero() outside of any locking > which would prevent other CPUs from finding and "rescuing" the zero-recount > page. > > CPUA: > if (put_page_testzero()) { > /* Here's the window */ > spin_lock(lru_lock); > list_del(page->lru); > > CPUB: > > spin_lock(lru_lock); > page = list_entry(lru); > page_cache_get(page); /* If this goes from 0->1, we die */ > ... > page_cache_release(page); /* double free */ So what we want CPUB do instead is spin_lock(lru_lock); page = list_entry(lru) START ATOMIC page_cache_get(page); res = (page_count (page) == 1) END ATOMIC if (res) { atomic_dec (&page->count); continue; /* with next page */ } ... page_cache_release (page); I.e. we want to detect _atomically_ that we just raised the page count from zero to one. My patch actually has a solution that implements the needed atomic operation above by means of the atomic functions that we currently have on all archs (it's called get_page_testzero and should probably called get_page_testone). The more I think about this the more I think this is the way to go. regards Christian -- THAT'S ALL FOLKS! -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/