On Wed, Mar 17, 2010 at 11:12 AM, KAMEZAWA Hiroyuki
> BTW, I doubt freeing anon_vma can happen even when we check mapcount.
>
> "unmap" is 2-stage operation.
> 1. unmap_vmas() => modify ptes, free pages, etc.
> 2. free_pgtables() => free pgtables, unlink vma and free it.
>
> Then, if migration is enough slow.
>
> Migration(): Exit():
> check mapcount
> rcu_read_lock
> pte_lock
> replace pte with migration pte
> pte_unlock
> pte_lock
> copy page etc... zap pte (clear pte)
> pte_unlock
> free_pgtables
> ->free vma
> ->free anon_vma
> pte_lock
> remap pte with new pfn(fail)
> pte_unlock
>
> lock anon_vma->lock # modification after free.
> check list is empty
check list is empty?
Do you mean anon_vma->head?
If it is, is it possible that that list isn't empty since anon_vma is
used by others due to
SLAB_DESTROY_BY_RCU?
but such case is handled by page_check_address, vma_address, I think.
> unlock anon_vma->lock
> free anon_vma
> rcu_read_unlock
>
>
> Hmm. IIUC, anon_vma is allocated as SLAB_DESTROY_BY_RCU. Then, while
> rcu_read_lock() is taken, anon_vma is anon_vma even if freed. But it
> may reused as anon_vma for someone else.
> (IOW, it may be reused but never pushed back to general purpose memory
> until RCU grace period.)
> Then, touching anon_vma->lock never cause any corruption.
>
> Does use-after-free check for SLAB_DESTROY_BY_RCU correct behavior ?
Could you elaborate your point?
> Above case is not use-after-free. It's safe and expected sequence.
>
> Thanks,
> -Kame
>
>
>
>> > ---
>> > mm/migrate.c | 13 +++++++++++++
>> > 1 files changed, 13 insertions(+), 0 deletions(-)
>> >
>> > diff --git a/mm/migrate.c b/mm/migrate.c
>> > index 98eaaf2..6eb1efe 100644
>> > --- a/mm/migrate.c
>> > +++ b/mm/migrate.c
>> > @@ -603,6 +603,19 @@ static int unmap_and_move(new_page_t get_new_page, unsigned long private,
>> > */
>> > if (PageAnon(page)) {
>> > rcu_read_lock();
>> > +
>> > + /*
>> > + * If the page has no mappings any more, just bail. An
>> > + * unmapped anon page is likely to be freed soon but worse,
>> > + * it's possible its anon_vma disappeared between when
>> > + * the page was isolated and when we reached here while
>> > + * the RCU lock was not held
>> > + */
>> > + if (!page_mapcount(page)) {
>> > + rcu_read_unlock();
>> > + goto uncharge;
>> > + }
>> > +
>> > rcu_locked = 1;
>> > anon_vma = page_anon_vma(page);
>> > atomic_inc(&anon_vma->migrate_refcount);
>> >
>>
>> --
>> To unsubscribe, send a message with 'unsubscribe linux-mm' in
>> the body to majordomo@xxxxxxxxxx For more info on Linux MM,
>> see: http://www.linux-mm.org/ .
>> Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>
>>
>
>
--
Kind regards,
Minchan Kim
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxxx For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href