From: Hugh Dickins <hughd@google.com>
To: Dashi DS1 Cao <caods1@lenovo.com>
Cc: Hugh Dickins <hughd@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Michal Hocko <mhocko@kernel.org>,
Sasha Levin <alexander.levin@verizon.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: A small window for a race condition in mm/rmap.c:page_lock_anon_vma_read
Date: Thu, 22 Dec 2016 19:34:39 -0800 (PST) [thread overview]
Message-ID: <alpine.LSU.2.11.1612221831580.2799@eggly.anvils> (raw)
In-Reply-To: <23B7B563BA4E9446B962B142C86EF24ADBF309@CNMAILEX03.lenovo.com>
On Fri, 23 Dec 2016, Dashi DS1 Cao wrote:
> The kernel version is "RELEASE: 3.10.0-327.36.3.el7.x86_64". It was the latest kernel release of CentOS 7.2 at that time, or maybe still now.
Okay, thanks: so, basically a v3.10 kernel, with lots of added patches,
but also lacking many more recent fixes.
> I've tried to print the value of anon_vma from other three dumps, but the content is not available in the dump.
> "gdb: page excluded: kernel virtual address: ffff882b47ddadc0"
> I guess it is not copied out because it has already been put into some unused list.
Useful info: that suggests that the anon_vma was rightly freed, and that
it's the page->_mapcount that's wrong. The page isn't really mapped
anywhere now, but appearing to be still page_mapped(), it has tricked
page_lock_anon_vma_read() into thinking the stale anon_vma pointer is
safe to access.
That can happen if there's a race, and a page gets mapped with one pte
on top of another: only one of them will be unmapped later. Incorrect
handling of page table entries. But I cannot remember anywhere that
was shown to happen - beyond a project of my own, which never reached
the tree.
If it's a file page, that usually ends up as BUG_ON(page_mapped(page))
in __delete_from_page_cache() (in v3.10, changed a little later on),
when truncating or unlinking the file or unmounting the filesystem.
Those have been seen in the past, on rare occasions, but I don't
remember actually root-causing any of them. If it's an anon page,
there is no equivalent place for such a BUG_ON.
mremap move has a tricky job to do, and might cause such a problem
if its locking were inadequate: but the only example I see since
v3.10 was dd18dbc2d42a "mm, thp: close race between mremap() and
split_huge_page()", and that used to crash in __split_huge_page().
Or see c0d73261f5c1 "mm/memory.c: use entry = ACCESS_ONCE(*pte)
in handle_pte_fault()", which brings us back to Peter's topic of
over-imaginative compilers; but none of us believed that change
really made a difference in practice.
Cc'ing Sasha Levin, long-time trinity-runner, just in case he might
remember any time when a BUG_ON(page_mapped(page)) was really solved:
if so, there's a chance the explanation might also apply to anonymous
pages, and be responsible for your page_lock_anon_vma_read() crashes.
Hugh
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-12-23 3:34 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-20 9:32 Dashi DS1 Cao
2016-12-21 14:43 ` Michal Hocko
2016-12-22 11:53 ` Dashi DS1 Cao
2016-12-22 12:03 ` Michal Hocko
2016-12-22 12:43 ` Dashi DS1 Cao
2016-12-22 13:51 ` Peter Zijlstra
2016-12-22 22:26 ` Hugh Dickins
2016-12-23 2:02 ` Dashi DS1 Cao
2016-12-23 3:34 ` Hugh Dickins [this message]
2016-12-23 14:19 ` Peter Zijlstra
2016-12-25 2:22 ` Dashi DS1 Cao
2016-12-23 2:38 ` Dashi DS1 Cao
2017-04-22 12:07 ` zhong jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LSU.2.11.1612221831580.2799@eggly.anvils \
--to=hughd@google.com \
--cc=alexander.levin@verizon.com \
--cc=caods1@lenovo.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox