From: Matthew Wilcox <willy@infradead.org>
To: zhong jiang <zhongjiang@huawei.com>
Cc: gregkh@linuxfoundation.org, stable@vger.kernel.org,
vbabka@suse.cz, mhocko@suse.com, linux-mm@kvack.org
Subject: Re: [RPF STABLE PATCH] mm/memfd: should be lock the radix_tree when iterating its slot
Date: Thu, 24 Oct 2019 10:41:15 -0700 [thread overview]
Message-ID: <20191024174115.GI2963@bombadil.infradead.org> (raw)
In-Reply-To: <1571929400-12147-1-git-send-email-zhongjiang@huawei.com>
On Thu, Oct 24, 2019 at 11:03:20PM +0800, zhong jiang wrote:
> By reviewing the code, I find that there is an race between iterate
> the radix_tree and radix_tree_insert/delete. Because the former just
> access its slot in rcu protected period. but it fails to prevent the
> radix_tree from being changed.
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
The locking here now matches the locking in memfd_tag_pins() that
was changed in ef3038a573aa8bf2f3797b110f7244b55a0e519c (part of 4.20-rc1).
I didn't notice that I was fixing a bug when I changed the locking.
This bug has been present since 05f65b5c70909ef686f865f0a85406d74d75f70f
(part of 3.17) so backports will need to go further back. This code has
moved around a bit (mm/shmem.c) and the APIs have changed, so it will
take some effort.
> Cc: stable@vger.kernel.org
> Signed-off-by: zhong jiang <zhongjiang@huawei.com>
> ---
> mm/memfd.c | 8 +++-----
> 1 file changed, 3 insertions(+), 5 deletions(-)
>
> diff --git a/mm/memfd.c b/mm/memfd.c
> index 2bb5e25..0b3fedc 100644
> --- a/mm/memfd.c
> +++ b/mm/memfd.c
> @@ -37,8 +37,8 @@ static void memfd_tag_pins(struct address_space *mapping)
>
> lru_add_drain();
> start = 0;
> - rcu_read_lock();
>
> + xa_lock_irq(&mapping->i_pages);
> radix_tree_for_each_slot(slot, &mapping->i_pages, &iter, start) {
> page = radix_tree_deref_slot(slot);
> if (!page || radix_tree_exception(page)) {
> @@ -47,18 +47,16 @@ static void memfd_tag_pins(struct address_space *mapping)
> continue;
> }
> } else if (page_count(page) - page_mapcount(page) > 1) {
> - xa_lock_irq(&mapping->i_pages);
> radix_tree_tag_set(&mapping->i_pages, iter.index,
> MEMFD_TAG_PINNED);
> - xa_unlock_irq(&mapping->i_pages);
> }
>
> if (need_resched()) {
> slot = radix_tree_iter_resume(slot, &iter);
> - cond_resched_rcu();
> + cond_resched_lock(&mapping->i_pages.xa_lock);
> }
> }
> - rcu_read_unlock();
> + xa_unlock_irq(&mapping->i_pages);
> }
>
> /*
> --
> 1.7.12.4
>
>
next prev parent reply other threads:[~2019-10-24 17:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-24 15:03 [RPF STABLE PATCH] mm/memfd: should be lock the radix_tree when iterating its slot zhong jiang
2019-10-24 17:41 ` Matthew Wilcox [this message]
2019-10-24 23:54 ` Sasha Levin
2019-10-25 15:17 ` Matthew Wilcox
2019-10-26 1:54 ` zhong jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191024174115.GI2963@bombadil.infradead.org \
--to=willy@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=stable@vger.kernel.org \
--cc=vbabka@suse.cz \
--cc=zhongjiang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.