• Zhou Chengming's avatar
    ksm: fix conflict between mmput and scan_get_next_rmap_item · 7496fea9
    Zhou Chengming authored
    A concurrency issue about KSM in the function scan_get_next_rmap_item.
    
    task A (ksmd):				|task B (the mm's task):
    					|
    mm = slot->mm;				|
    down_read(&mm->mmap_sem);		|
    					|
    ...					|
    					|
    spin_lock(&ksm_mmlist_lock);		|
    					|
    ksm_scan.mm_slot go to the next slot;	|
    					|
    spin_unlock(&ksm_mmlist_lock);		|
    					|mmput() ->
    					|	ksm_exit():
    					|
    					|spin_lock(&ksm_mmlist_lock);
    					|if (mm_slot && ksm_scan.mm_slot != mm_slot) {
    					|	if (!mm_slot->rmap_list) {
    					|		easy_to_free = 1;
    					|		...
    					|
    					|if (easy_to_free) {
    					|	mmdrop(mm);
    					|	...
    					|
    					|So this mm_struct may be freed in the mmput().
    					|
    up_read(&mm->mmap_sem);			|
    
    As we can see above, the ksmd thread may access a mm_struct that already
    been freed to the kmem_cache.  Suppose a fork will get this mm_struct from
    the kmem_cache, the ksmd thread then call up_read(&mm->mmap_sem), will
    cause mmap_sem.count to become -1.
    
    As suggested by Andrea Arcangeli, unmerge_and_remove_all_rmap_items has
    the same SMP race condition, so fix it too.  My prev fix in function
    scan_get_next_rmap_item will introduce a different SMP race condition, so
    just invert the up_read/spin_unlock order as Andrea Arcangeli said.
    
    Link: http://lkml.kernel.org/r/1462708815-31301-1-git-send-email-zhouchengming1@huawei.comSigned-off-by: default avatarZhou Chengming <zhouchengming1@huawei.com>
    Suggested-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
    Reviewed-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Geliang Tang <geliangtang@163.com>
    Cc: Minchan Kim <minchan@kernel.org>
    Cc: Hanjun Guo <guohanjun@huawei.com>
    Cc: Ding Tianhong <dingtianhong@huawei.com>
    Cc: Li Bin <huawei.libin@huawei.com>
    Cc: Zhen Lei <thunder.leizhen@huawei.com>
    Cc: Xishi Qiu <qiuxishi@huawei.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    7496fea9
ksm.c 63.3 KB