Re: [PATCH 02/11] mm,migration: Do not try to migrate unmapped anonymous pages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2010-03-15 at 11:28 +0000, Mel Gorman wrote:
> The use after free looks like
> 
> 1. page_mapcount(page) was zero so anon_vma was no longer reliable
> 2. rcu lock taken but the anon_vma at this point can already be garbage because the
>    process exited
> 3. call try_to_unmap, looks up tha anon_vma and locks it. This causes problems
> 
> I thought the race would be closed but there is still a very tiny window there all
> right. The following alternative should close it. What do you think?
> 
>         if (PageAnon(page)) {
> 		rcu_read_lock();
> 
>                 /*
>                  * If the page has no mappings any more, just bail. An
>                  * unmapped anon page is likely to be freed soon but worse,
>                  * it's possible its anon_vma disappeared between when
>                  * the page was isolated and when we reached here while
>                  * the RCU lock was not held
>                  */
>                 if (!page_mapcount(page)) {
> 			rcu_read_unlock();
>                         goto uncharge;
> 		}
> 
>                 rcu_locked = 1;
>                 anon_vma = page_anon_vma(page);
>                 atomic_inc(&anon_vma->external_refcount);
>         }
> 
> The rcu_unlock label is not used here because the reference counts were not taken in
> the case where page_mapcount == 0.
> 

Looks good to me. 
Please, repost above code with your use-after-free scenario comment.


-- 
Kind regards,
Minchan Kim


--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxxx  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]