From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail190.messagelabs.com (mail190.messagelabs.com [216.82.249.51]) by kanga.kvack.org (Postfix) with SMTP id C68446B01F0 for ; Fri, 27 Aug 2010 16:56:52 -0400 (EDT) Date: Fri, 27 Aug 2010 15:56:48 -0500 (CDT) From: Christoph Lameter Subject: Re: [PATCH] mm: fix hang on anon_vma->root->lock In-Reply-To: Message-ID: References: <20100826235052.GZ6803@random.random> <20100827095546.GC6803@random.random> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-linux-mm@kvack.org To: Hugh Dickins Cc: Andrea Arcangeli , Linus Torvalds , Andrew Morton , Rik van Riel , Peter Zijlstra , linux-kernel@vger.kernel.org, linux-mm@kvack.org List-ID: On Fri, 27 Aug 2010, Hugh Dickins wrote: > Nothing ensures that the root pointer was not changed after the > ACCESS_ONCE, that's exactly why we use ACCESS_ONCE there: once we've > got the lock and realize that what we've locked may not be what we > wanted (or may change from what we were wanting at any moment, the > page no longer being mapped there - but in that case we no longer want > it), we have to be sure to unlock the one we locked, rather than the > one which anon_vma->root might subsequently point to. I do not see any check after we have taken the lock to verify that we locked the correct object. Was there a second version of the patch? > > Since there is no lock taken before the mapped check none of the > > earlier reads from the anon vma structure nor the page mapped check > > necessarily reflect a single state of the anon_vma. > > There's no lock (other than RCU's read "lock") taken before the > original mapped check, and that's important, otherwise our attempt to > lock might actually spinon or corrupt something that was long ago an > anon_vma. But we do take the anon_vma->root->lock before the second > mapped check which I added. If the page is still mapped at the point You then are using an object from the anon_vma (the pointer) without a lock! This is unstable therefore unless there are other constraints. The anon_vma->lock must be taken before derefencing that pointer. The page may have been unmapped and mapped again between the two checks. Unlikely but possible. > of that second check, then we know that we got the right anon_vma, I do not see a second check (*after* taking the lock) in the patch and the way the lock is taken can be a problem in itself. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org