Hi all,
I am investigating the rmap code, and I found the below possible race window:
CPU 1 CPU 2
----- -----
page_lock_anon_vma_read
rcu_read_lock
/* We assume anon_vam == root_anon_vma in this case. */
root_anon_vma = READ_ONCE(anon_vma->root);
root_anon_vma is *released* somewhere unfortunately.
down_read_trylock(&root_anon_vma->rwsem)
__anon_vma_prepare
anon_vma_alloc
root_anon_vma is *allocated* here.
init_rwsem(&anon_vma->rwsem);
!page_mapped(page)
up_read(&root_anon_vma->rwsem); -- *Oops!*
root_anon_vma->rwsem is reinitialized after locked. And reinitialized anon_vma->rwsem will be
unlocked without lock first.
I think this could happen due to the subtle SLAB_TYPESAFE_BY_RCU. But only can occur when anon_vma
is root anon_vma or they won't operate on the same rwsem.
Is this will really happen or Am I miss something ? Any reply would be very grateful.
Many Thanks! :)
