On Fri, Aug 27, 2010 at 1:56 PM, Christoph Lameter <cl@linux.com> wrote:
quoted text
> On Fri, 27 Aug 2010, Hugh Dickins wrote:
>
>> Nothing ensures that the root pointer was not changed after the
>> ACCESS_ONCE, that's exactly why we use ACCESS_ONCE there: once we've
>> got the lock and realize that what we've locked may not be what we
>> wanted (or may change from what we were wanting at any moment, the
>> page no longer being mapped there - but in that case we no longer want
>> it), we have to be sure to unlock the one we locked, rather than the
>> one which anon_vma->root might subsequently point to.
>
> I do not see any check after we have taken the lock to verify that we
> locked the correct object. Was there a second version of the patch?

No second version of the patch, no.  As I said already, it's that
second page_mapped check which gives the guarantee that the anon_vma
has not yet been freed, hence we've locked the correct object.

quoted text
>
>> > Since there is no lock taken before the mapped check none of the
>> > earlier reads from the anon vma structure nor the page mapped check
>> > necessarily reflect a single state of the anon_vma.
>>
>> There's no lock (other than RCU's read "lock")  taken before the
>> original mapped check, and that's important, otherwise our attempt to
>> lock might actually spinon or corrupt something that was long ago an
>> anon_vma.  But we do take the anon_vma->root->lock before the second
>> mapped check which I added.  If the page is still mapped at the point
>
> You then are using an object from the anon_vma (the pointer) without a
> lock!

Yes. (not counting RCU's read "lock" as a lock).

quoted text
> This is unstable therefore unless there are other constraints. The
> anon_vma->lock must be taken before derefencing that pointer.

No, SLAB_DESTROY_BY_RCU gives us just the stablity we need to take the lock.

quoted text
> The page may
> have been unmapped and mapped again between the two checks. Unlikely but
> possible.

Yes, unlikely but possible.  (Well, actually, is it possible?  It can
be unmapped on exit without any lock, but unmapping for pageout would
require the page lock, would insert a swp_entry_t, and mapping again
would go to do_swap_page which would again require the page lock.  But
never mind that, let's assume there is a way it can be unmapped and
mapped again.)  The thing is, page->mapping will point to the same
anon_vma throughout, that only gets reset when the page is freed, and
there should be nowhere else that modifies page->mapping once it's
been set to anon_vma - if you know of somewhere, please point to it,
we do need to examine that case.

quoted text
>
>> of that second check, then we know that we got the right anon_vma,
>
> I do not see a second check (*after* taking the lock) in the patch






quoted text
> and the
> way the lock is taken can be a problem in itself.
>
>
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/