On 2021/5/14 17:16, Miaohe Lin wrote: > Hi all, > I am investigating the rmap code, and I found the below possible race window: > > CPU 1 CPU 2 > ----- ----- > page_lock_anon_vma_read > rcu_read_lock > /* We assume anon_vam == root_anon_vma in this case. */ > root_anon_vma = READ_ONCE(anon_vma->root); > root_anon_vma is *released* somewhere unfortunately. > down_read_trylock(&root_anon_vma->rwsem) > __anon_vma_prepare > anon_vma_alloc > root_anon_vma is *allocated* here. > init_rwsem(&anon_vma->rwsem); > !page_mapped(page) > up_read(&root_anon_vma->rwsem); -- *Oops!* > > root_anon_vma->rwsem is reinitialized after locked. And reinitialized anon_vma->rwsem will be > unlocked without lock first. > > I think this could happen due to the subtle SLAB_TYPESAFE_BY_RCU. But only can occur when anon_vma > is root anon_vma or they won't operate on the same rwsem. > Is this will really happen or Am I miss something ? Any reply would be very grateful. > Many Thanks! :) Any reply would be very grateful. Many thanks! >
