On Mon, Jan 26, 2015 at 05:52:14PM +0300, Konstantin Khlebnikov wrote:
> Lockless access to pte in pagemap_pte_range() might race with page migration
> and trigger BUG_ON(!PageLocked()) in migration_entry_to_page():
>
> CPU A (pagemap) CPU B (migration)
> lock_page()
> try_to_unmap(page, TTU_MIGRATION...)
> make_migration_entry()
> set_pte_at()
> <read *pte>
> pte_to_pagemap_entry()
> remove_migration_ptes()
> unlock_page()
> if(is_migration_entry())
> migration_entry_to_page()
> BUG_ON(!PageLocked(page))
>
> Also lockless read might be non-atomic if pte is larger than wordsize.
> Other pte walkers (smaps, numa_maps, clear_refs) already lock ptes.
>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx>
> Reported-by: Andrey Ryabinin <a.ryabinin@xxxxxxxxxxx>
> Fixes: 052fb0d635df ("proc: report file/anon bit in /proc/pid/pagemap")
> Cc: Stable <stable@xxxxxxxxxxxxxxx> (v3.5+)
Reviewed-by: Cyrill Gorcunov <gorcunov@xxxxxxxxxx>
Thank you!
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>