On Fri, 9 Apr 2010 16:57:03 +0900 KAMEZAWA Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx> wrote: > On Fri, 9 Apr 2010 16:29:59 +0900 (JST) > KOSAKI Motohiro <kosaki.motohiro@xxxxxxxxxxxxxx> wrote: > > > Hmm, I think following. > > > > > > Assume a page is ANON and SwapCache, and it has only one reference. > > > Consider it's read-only mapped and cause do_wp_page(). > > > page_mapcount(page) == 1 here. > > > > > > CPU0 CPU1 > > > > > > 1. do_wp_page() > > > 2. ..... > > > 3. replace anon_vma. anon_vma = lock_page_anon_vma() > > > > > > So, lock_page_anon_vma() may have lock on wrong anon_vma, here.(mapcount=1) > > > > > > 4. modify pte to writable. do something... > > > > > > After lock, in CPU1, a pte of estimated address by vma_address(vma, page) > > > containes pfn of the page and page_check_address() will success. > > > > > > I'm not sure how this is dangerouns. > > > But it's possible that CPU1 cannot notice there was anon_vma replacement. > > > And modifies pte withoug holding anon vma's lock which the code believes > > > it's holded. > > > > > > Hehe, page_referenced() already can take unstable VM_LOCKED value. So, > > In worst case we make false positive pageout, but it's not disaster. > > I think. Anyway "use after free" don't happen by this blutal code. > > > > However, I think you pointed one good thing. before Rik patch, we don't have > > page->mapping reassignment. then, we didn't need rcu_dereference(). > > but now it can happen. so, I think rcu_dereference() is better. > > > > Perhaps, I'm missing something. > > > > Hmm. I wonder we can check "whether we lock valid anon_vma or not" only under > pte_lock or lock_page(). > == > anon_vma = page_anon_vma(); > lock(anon_vma->lock); > .... > page_check_address(page) > .... > pte_lock(); > if (page_anon_vma(page) == anon_vma) > # anon_vma replacement happens! > unlock(anon_vma->lock); > == > So, rather than page_lock_anon_vma(), page_check_address() may have to check anon_vma > replacement....But I cannot think of dangerous case which can cause panic for now. > I may miss something... > Ah...anon_vma replacemet occurs under lock_page() and pte_lock. Almost all callers of page_lock_anon_vma() holds lock_page(). So, I think this anon_vma replacement is not very serious. Hmm... Thanks, -Kame -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
