From: Hugh Dickins <hugh@veritas.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>, linux-mm@kvack.org
Subject: [PATCH 5/8] mm: try_to_unuse check removing right swap
Date: Sun, 23 Nov 2008 22:01:56 +0000 (GMT) [thread overview]
Message-ID: <Pine.LNX.4.64.0811232200560.4142@blonde.site> (raw)
In-Reply-To: <Pine.LNX.4.64.0811232151400.3748@blonde.site>
There's a possible race in try_to_unuse() which Nick Piggin led me to two
years ago. Where it does lock_page() after read_swap_cache_async(), what
if another task removed that page from swapcache just before we locked it?
It would sail though the (*swap_map > 1) tests doing nothing (because it
could not have been removed from swapcache before its swap references were
gone), until it reaches the delete_from_swap_cache(page) near the bottom.
Now imagine that this page has been allocated to swap on a different swap
area while we dropped page lock (perhaps at the top, perhaps in unuse_mm):
we could wrongly remove from swap cache before the page has been written
to swap, so a subsequent do_swap_page() would read in stale data from swap.
I think this case could not happen before: remove_exclusive_swap_page()
refused while page count was raised. But now with reuse_swap_page() and
try_to_free_swap() removing from swap cache without minding page count,
I think it could happen - the previous patch argued that it was safe
because try_to_unuse() already ignored page count, but overlooked that
it might be breaking the assumptions in try_to_unuse() itself.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
---
mm/swapfile.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- swapfree4/mm/swapfile.c 2008-11-21 18:50:50.000000000 +0000
+++ swapfree5/mm/swapfile.c 2008-11-21 18:50:59.000000000 +0000
@@ -889,7 +889,16 @@ static int try_to_unuse(unsigned int typ
lock_page(page);
wait_on_page_writeback(page);
}
- if (PageSwapCache(page))
+
+ /*
+ * It is conceivable that a racing task removed this page from
+ * swap cache just before we acquired the page lock at the top,
+ * or while we dropped it in unuse_mm(). The page might even
+ * be back in swap cache on another swap area: that we must not
+ * delete, since it may not have been written out to swap yet.
+ */
+ if (PageSwapCache(page) &&
+ likely(page_private(page) == entry.val))
delete_from_swap_cache(page);
/*
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2008-11-23 22:01 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-23 21:53 [PATCH 0/8] mm: from gup to vmscan Hugh Dickins
2008-11-23 21:55 ` [PATCH 1/8] mm: gup persist for write permission Hugh Dickins
2008-11-23 21:56 ` [PATCH 2/8] mm: wp lock page before deciding cow Hugh Dickins
2008-11-23 21:58 ` [PATCH 3/8] mm: reuse_swap_page replaces can_share_swap_page Hugh Dickins
2008-11-23 22:11 ` [PATCH] memcg: memswap controller core swapcache fixes Hugh Dickins
2008-11-24 5:43 ` KAMEZAWA Hiroyuki
2008-11-24 6:15 ` KAMEZAWA Hiroyuki
2008-11-24 12:29 ` Hugh Dickins
2008-11-24 12:57 ` KAMEZAWA Hiroyuki
2008-11-23 22:43 ` [PATCH 3/8] mm: reuse_swap_page replaces can_share_swap_page Rik van Riel
2008-11-23 22:00 ` [PATCH 4/8] mm: try_to_free_swap replaces remove_exclusive_swap_page Hugh Dickins
2008-11-23 22:01 ` Hugh Dickins [this message]
2008-11-23 22:03 ` [PATCH 6/8] mm: remove try_to_munlock from vmscan Hugh Dickins
2008-11-23 22:53 ` Rik van Riel
2008-11-24 17:34 ` Lee Schermerhorn
2008-11-24 19:29 ` Hugh Dickins
2008-12-01 20:16 ` Lee Schermerhorn
2008-12-02 0:51 ` Hugh Dickins
2008-11-23 22:05 ` [PATCH 7/8] mm: remove gfp_mask from add_to_swap Hugh Dickins
2008-11-23 22:07 ` [PATCH 8/8] mm: add add_to_swap stub Hugh Dickins
2008-11-23 22:55 ` Rik van Riel
2008-11-24 13:49 ` Hugh Dickins
2008-11-24 13:53 ` [PATCH 9/8] mm: optimize get_scan_ratio for no swap Hugh Dickins
2008-11-24 14:11 ` Rik van Riel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.64.0811232200560.4142@blonde.site \
--to=hugh@veritas.com \
--cc=akpm@linux-foundation.org \
--cc=linux-mm@kvack.org \
--cc=nickpiggin@yahoo.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox