Re: [PATCH 2/7] mm: fix potential anon_vma locking issue in mprotect()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 04, 2012 at 04:27:45PM +0200, Andrea Arcangeli wrote:
> Hi Michel,
> 
> On Tue, Sep 04, 2012 at 02:20:52AM -0700, Michel Lespinasse wrote:
> > This change fixes an anon_vma locking issue in the following situation:
> > - vma has no anon_vma
> > - next has an anon_vma
> > - vma is being shrunk / next is being expanded, due to an mprotect call
> > 
> > We need to take next's anon_vma lock to avoid races with rmap users
> > (such as page migration) while next is being expanded.
> > 
> > This change also removes an optimization which avoided taking anon_vma
> > lock during brk adjustments. We could probably make that optimization
> > work again, but the following anon rmap change would break it,
> > so I kept things as simple as possible here.
> 
> Agreed, definitely a bug not to take the lock whenever any
> vm_start/vm_pgoff are moved, regardless if they're the next or current
> vma. Only vm_end can be moved without taking the lock.
> 
> I'd prefer to fix it like this though:
> 
> -	if (vma->anon_vma && (importer || start != vma->vm_start)) {
> +	if ((vma->anon_vma && (importer || start != vma->vm_start) ||
> +           (adjust_next && next->anon_vma)) {

I think the minimal fix would actually be:

 	if (vma->anon_vma && (importer || start != vma->vm_start)) {
 		anon_vma = vma->anon_vma;
+	else if (next->anon_vma && adjust_next)
+		anon_vma = next->anon_vma;

I suppose if we were to consider adding this fix to the stable series,
we should probably do it in such a minimal way. I hadn't actually
considered it, because I was only thinking about this patch series,
and at patch 4/7 it becomes necessary to lock the anon_vma even if
only the vm_end side gets modified (so we'd still end up with what I
proposed in the end)

-- 
Michel "Walken" Lespinasse
A program is never fully debugged until the last user dies.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>


[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]