+ ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch added to -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The patch titled
     Subject: ksm: fix conflict between mmput and scan_get_next_rmap_item
has been added to the -mm tree.  Its filename is
     ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Zhou Chengming <zhouchengming1@xxxxxxxxxx>
Subject: ksm: fix conflict between mmput and scan_get_next_rmap_item

A concurrency issue about KSM in the function scan_get_next_rmap_item.

task A (ksmd):				|task B (the mm's task):
|
mm = slot->mm;				|
down_read(&mm->mmap_sem);		|
|
...					|
|
spin_lock(&ksm_mmlist_lock);		|
|
ksm_scan.mm_slot go to the next slot;	|
|
spin_unlock(&ksm_mmlist_lock);		|
|mmput() ->
|	ksm_exit():
|
|spin_lock(&ksm_mmlist_lock);
|if (mm_slot && ksm_scan.mm_slot != mm_slot) {
|	if (!mm_slot->rmap_list) {
|		easy_to_free = 1;
|		...
|
|if (easy_to_free) {
|	mmdrop(mm);
|	...
|
|So this mm_struct will be freed successfully.
|
up_read(&mm->mmap_sem);			|

As we can see above, the ksmd thread may access a mm_struct that already
been freed to the kmem_cache.
Suppose a fork will get this mm_struct from the kmem_cache, the ksmd thread
then call up_read(&mm->mmap_sem), will cause mmap_sem.count to become -1.
I changed the scan_get_next_rmap_item function refered to the khugepaged
scan function.

Link: http://lkml.kernel.org/r/1462452176-33462-1-git-send-email-zhouchengming1@xxxxxxxxxx
Signed-off-by: Zhou Chengming <zhouchengming1@xxxxxxxxxx>
Cc: Hugh Dickins <hughd@xxxxxxxxxx>
Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Cc: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
Cc: Vlastimil Babka <vbabka@xxxxxxx>
Cc: Geliang Tang <geliangtang@xxxxxxx>
Cc: Minchan Kim <minchan@xxxxxxxxxx>
Cc: Hanjun Guo <guohanjun@xxxxxxxxxx>
Cc: Ding Tianhong <dingtianhong@xxxxxxxxxx>
Cc: Li Bin <huawei.libin@xxxxxxxxxx>
Cc: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
Cc: Xishi Qiu <qiuxishi@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 mm/ksm.c |    7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff -puN mm/ksm.c~ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item mm/ksm.c
--- a/mm/ksm.c~ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item
+++ a/mm/ksm.c
@@ -1640,6 +1640,7 @@ next_mm:
 	 * because there were no VM_MERGEABLE vmas with such addresses.
 	 */
 	remove_trailing_rmap_items(slot, ksm_scan.rmap_list);
+	up_read(&mm->mmap_sem);
 
 	spin_lock(&ksm_mmlist_lock);
 	ksm_scan.mm_slot = list_entry(slot->mm_list.next,
@@ -1656,16 +1657,12 @@ next_mm:
 		 */
 		hash_del(&slot->link);
 		list_del(&slot->mm_list);
-		spin_unlock(&ksm_mmlist_lock);
 
 		free_mm_slot(slot);
 		clear_bit(MMF_VM_MERGEABLE, &mm->flags);
-		up_read(&mm->mmap_sem);
 		mmdrop(mm);
-	} else {
-		spin_unlock(&ksm_mmlist_lock);
-		up_read(&mm->mmap_sem);
 	}
+	spin_unlock(&ksm_mmlist_lock);
 
 	/* Repeat until we've completed scanning the whole list */
 	slot = ksm_scan.mm_slot;
_

Patches currently in -mm which might be from zhouchengming1@xxxxxxxxxx are

ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel Newbies FAQ]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux