On Fri, Jun 03, 2011 at 10:06:14AM -0700, Hugh Dickins wrote: > On Thu, 2 Jun 2011, Andrea Arcangeli wrote: > > On Thu, Jun 02, 2011 at 10:29:39AM -0700, Hugh Dickins wrote: > > > AndreaA, I didn't study the patch you posted half an hour ago, > > > since by that time I'd worked it out and was preparing patch below. > > > I think your patch would be for a different bug, hopefully one we > > > don't have, it looks more complicated than we should need for this. > > > > I didn't expect two different bugs leading to double free. > > There wasn't a double free there, just failure to cope with race > emptying the list, so accessing head when expecting a full entry. Yes, we thought it was a double free initially because of two dead pointers but we couldn't explain why mm was null so consistently. > You'll see from the "beware" comment in scan_get_next_rmap_item() > that this case is expected, that it sometimes reaches freeing the > slots before the exiting task reaches __ksm_exit(). > > That race should already be handled. I believe your patch is unnecessary, > because get_mm_slot() is a hashlist lookup, and will return NULL once > either end has done the hlist_del(&mm_slot->link). Ok so that case is handled by get_mm_slot not succeeding. I see thanks for the review. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxxx For more info on Linux MM, see: http://www.linux-mm.org/ . Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/ Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>