On Mon, 2010-03-15 at 11:28 +0000, Mel Gorman wrote:
> The use after free looks like
>
> 1. page_mapcount(page) was zero so anon_vma was no longer reliable
> 2. rcu lock taken but the anon_vma at this point can already be garbage because the
> process exited
> 3. call try_to_unmap, looks up tha anon_vma and locks it. This causes problems
>
> I thought the race would be closed but there is still a very tiny window there all
> right. The following alternative should close it. What do you think?
>
> if (PageAnon(page)) {
> rcu_read_lock();
>
> /*
> * If the page has no mappings any more, just bail. An
> * unmapped anon page is likely to be freed soon but worse,
> * it's possible its anon_vma disappeared between when
> * the page was isolated and when we reached here while
> * the RCU lock was not held
> */
> if (!page_mapcount(page)) {
> rcu_read_unlock();
> goto uncharge;
> }
>
> rcu_locked = 1;
> anon_vma = page_anon_vma(page);
> atomic_inc(&anon_vma->external_refcount);
> }
>
> The rcu_unlock label is not used here because the reference counts were not taken in
> the case where page_mapcount == 0.
>
Looks good to me.
Please, repost above code with your use-after-free scenario comment.
--
Kind regards,
Minchan Kim
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxxx For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>