On Mon, 15 Mar 2010 15:44:59 +0900
KAMEZAWA Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx> wrote:
> On Mon, 15 Mar 2010 15:28:15 +0900
> Minchan Kim <minchan.kim@xxxxxxxxx> wrote:
>
> > On Mon, Mar 15, 2010 at 2:34 PM, KAMEZAWA Hiroyuki
> > <kamezawa.hiroyu@xxxxxxxxxxxxxx> wrote:
> > > On Mon, 15 Mar 2010 09:28:08 +0900
> > > Minchan Kim <minchan.kim@xxxxxxxxx> wrote:
> > I think above scenario make error "use-after-free", again.
> > What prevent above scenario?
> >
> I think this patch is not complete.
> I guess this patch in [1/11] is trigger for the race.
> ==
> +
> + /* Drop an anon_vma reference if we took one */
> + if (anon_vma && atomic_dec_and_lock(&anon_vma->migrate_refcount, &anon_vma->lock)) {
> + int empty = list_empty(&anon_vma->head);
> + spin_unlock(&anon_vma->lock);
> + if (empty)
> + anon_vma_free(anon_vma);
> + }
> ==
> If my understainding in above is correct, this "modify" freed anon_vma.
> Then, use-after-free happens. (In old implementation, there are no refcnt,
> so, there is no use-after-free ops.)
>
Sorry, about above, my understanding was wrong. anon_vma->lock is modifed even
in old code. Sorry for noise.
-Kame
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxxx For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>