The patch titled
Subject: ksm: fix conflict between mmput and scan_get_next_rmap_item
has been added to the -mm tree. Its filename is
ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Zhou Chengming <zhouchengming1@xxxxxxxxxx>
Subject: ksm: fix conflict between mmput and scan_get_next_rmap_item
A concurrency issue about KSM in the function scan_get_next_rmap_item.
task A (ksmd): |task B (the mm's task):
|
mm = slot->mm; |
down_read(&mm->mmap_sem); |
|
... |
|
spin_lock(&ksm_mmlist_lock); |
|
ksm_scan.mm_slot go to the next slot; |
|
spin_unlock(&ksm_mmlist_lock); |
|mmput() ->
| ksm_exit():
|
|spin_lock(&ksm_mmlist_lock);
|if (mm_slot && ksm_scan.mm_slot != mm_slot) {
| if (!mm_slot->rmap_list) {
| easy_to_free = 1;
| ...
|
|if (easy_to_free) {
| mmdrop(mm);
| ...
|
|So this mm_struct will be freed successfully.
|
up_read(&mm->mmap_sem); |
As we can see above, the ksmd thread may access a mm_struct that already
been freed to the kmem_cache.
Suppose a fork will get this mm_struct from the kmem_cache, the ksmd thread
then call up_read(&mm->mmap_sem), will cause mmap_sem.count to become -1.
I changed the scan_get_next_rmap_item function refered to the khugepaged
scan function.
Link: http://lkml.kernel.org/r/1462452176-33462-1-git-send-email-zhouchengming1@xxxxxxxxxx
Signed-off-by: Zhou Chengming <zhouchengming1@xxxxxxxxxx>
Cc: Hugh Dickins <hughd@xxxxxxxxxx>
Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx>
Cc: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
Cc: Vlastimil Babka <vbabka@xxxxxxx>
Cc: Geliang Tang <geliangtang@xxxxxxx>
Cc: Minchan Kim <minchan@xxxxxxxxxx>
Cc: Hanjun Guo <guohanjun@xxxxxxxxxx>
Cc: Ding Tianhong <dingtianhong@xxxxxxxxxx>
Cc: Li Bin <huawei.libin@xxxxxxxxxx>
Cc: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
Cc: Xishi Qiu <qiuxishi@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
mm/ksm.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff -puN mm/ksm.c~ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item mm/ksm.c
--- a/mm/ksm.c~ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item
+++ a/mm/ksm.c
@@ -1640,6 +1640,7 @@ next_mm:
* because there were no VM_MERGEABLE vmas with such addresses.
*/
remove_trailing_rmap_items(slot, ksm_scan.rmap_list);
+ up_read(&mm->mmap_sem);
spin_lock(&ksm_mmlist_lock);
ksm_scan.mm_slot = list_entry(slot->mm_list.next,
@@ -1656,16 +1657,12 @@ next_mm:
*/
hash_del(&slot->link);
list_del(&slot->mm_list);
- spin_unlock(&ksm_mmlist_lock);
free_mm_slot(slot);
clear_bit(MMF_VM_MERGEABLE, &mm->flags);
- up_read(&mm->mmap_sem);
mmdrop(mm);
- } else {
- spin_unlock(&ksm_mmlist_lock);
- up_read(&mm->mmap_sem);
}
+ spin_unlock(&ksm_mmlist_lock);
/* Repeat until we've completed scanning the whole list */
slot = ksm_scan.mm_slot;
_
Patches currently in -mm which might be from zhouchengming1@xxxxxxxxxx are
ksm-fix-conflict-between-mmput-and-scan_get_next_rmap_item.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
