From: Minchan Kim <minchan.kim@gmail.com>
To: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Mel Gorman <mel@csn.ul.ie>,
Andrew Morton <akpm@linux-foundation.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Christoph Lameter <cl@linux-foundation.org>,
Adam Litke <agl@us.ibm.com>, Avi Kivity <avi@redhat.com>,
David Rientjes <rientjes@google.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Hugh Dickins <hugh.dickins@tiscali.co.uk>
Subject: Re: [PATCH 02/11] mm,migration: Do not try to migrate unmapped anonymous pages
Date: Mon, 15 Mar 2010 16:11:31 +0900 [thread overview]
Message-ID: <28c262361003150011u4525f6aas9c47760bf9c8faef@mail.gmail.com> (raw)
In-Reply-To: <20100315154459.c665f68d.kamezawa.hiroyu@jp.fujitsu.com>
On Mon, Mar 15, 2010 at 3:44 PM, KAMEZAWA Hiroyuki
<kamezawa.hiroyu@jp.fujitsu.com>
>> Thanks for detail explanation, Kame.
>> But it can't understand me enough, Sorry.
>>
>> Mel said he met "use-after-free errors in anon_vma".
>> So added the check in unmap_and_move.
>>
>> if (PageAnon(page)) {
>> ....
>> if (!page_mapcount(page))
>> goto uncharge;
>> rcu_read_lock();
>>
>> My concern what protects racy mapcount of the page?
>> For example,
>>
>> CPU A CPU B
>> unmap_and_move
>> page_mapcount check pass zap_pte_range
>> <-- some stall --> pte_lock
>> <-- some stall --> page_remove_rmap(map_count is zero!)
>> <-- some stall --> pte_unlock
>> <-- some stall --> anon_vma_unlink
>> <-- some stall --> anon_vma free !!!!
>> rcu_read_lock
>> anon_vma has gone!!
>>
>> I think above scenario make error "use-after-free", again.
>> What prevent above scenario?
>>
> I think this patch is not complete.
> I guess this patch in [1/11] is trigger for the race.
> ==
> +
> + /* Drop an anon_vma reference if we took one */
> + if (anon_vma && atomic_dec_and_lock(&anon_vma->migrate_refcount, &anon_vma->lock)) {
> + int empty = list_empty(&anon_vma->head);
> + spin_unlock(&anon_vma->lock);
> + if (empty)
> + anon_vma_free(anon_vma);
> + }
> ==
> If my understainding in above is correct, this "modify" freed anon_vma.
> Then, use-after-free happens. (In old implementation, there are no refcnt,
> so, there is no use-after-free ops.)
>
I agree.
Let's wait Mel's response.
>
> So, what I can think of now is a patch like following is necessary.
>
> ==
> static inline struct anon_vma *anon_vma_alloc(void)
> {
> struct anon_vma *anon_vma;
> anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL);
> atomic_set(&anon_vma->refcnt, 1);
> }
>
> void anon_vma_free(struct anon_vma *anon_vma)
> {
> /*
> * This called when anon_vma is..
> * - anon_vma->vma_list becomes empty.
> * - incremetned refcnt while migration, ksm etc.. is dropped.
> * - allocated but unused.
> */
> if (atomic_dec_and_test(&anon_vma->refcnt))
> kmem_cache_free(anon_vma_cachep, anon_vma);
> }
> ==
> Then all things will go simple.
> Overhead is concern but list_empty() helps us much.
When they made things complicated without atomic_op,
there was reasonable reason, I think. :)
My opinion depends on you and server guys(Hugh, Rik, Andrea Arcangeli and so on)
>
> Thanks,
> -Kame
>
>
>
>
>
--
Kind regards,
Minchan Kim
WARNING: multiple messages have this Message-ID (diff)
From: Minchan Kim <minchan.kim@gmail.com>
To: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Mel Gorman <mel@csn.ul.ie>,
Andrew Morton <akpm@linux-foundation.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Christoph Lameter <cl@linux-foundation.org>,
Adam Litke <agl@us.ibm.com>, Avi Kivity <avi@redhat.com>,
David Rientjes <rientjes@google.com>,
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
Hugh Dickins <hugh.dickins@tiscali.co.uk>
Subject: Re: [PATCH 02/11] mm,migration: Do not try to migrate unmapped anonymous pages
Date: Mon, 15 Mar 2010 16:11:31 +0900 [thread overview]
Message-ID: <28c262361003150011u4525f6aas9c47760bf9c8faef@mail.gmail.com> (raw)
In-Reply-To: <20100315154459.c665f68d.kamezawa.hiroyu@jp.fujitsu.com>
On Mon, Mar 15, 2010 at 3:44 PM, KAMEZAWA Hiroyuki
<kamezawa.hiroyu@jp.fujitsu.com>
>> Thanks for detail explanation, Kame.
>> But it can't understand me enough, Sorry.
>>
>> Mel said he met "use-after-free errors in anon_vma".
>> So added the check in unmap_and_move.
>>
>> if (PageAnon(page)) {
>> ....
>> if (!page_mapcount(page))
>> goto uncharge;
>> rcu_read_lock();
>>
>> My concern what protects racy mapcount of the page?
>> For example,
>>
>> CPU A CPU B
>> unmap_and_move
>> page_mapcount check pass zap_pte_range
>> <-- some stall --> pte_lock
>> <-- some stall --> page_remove_rmap(map_count is zero!)
>> <-- some stall --> pte_unlock
>> <-- some stall --> anon_vma_unlink
>> <-- some stall --> anon_vma free !!!!
>> rcu_read_lock
>> anon_vma has gone!!
>>
>> I think above scenario make error "use-after-free", again.
>> What prevent above scenario?
>>
> I think this patch is not complete.
> I guess this patch in [1/11] is trigger for the race.
> ==
> +
> + /* Drop an anon_vma reference if we took one */
> + if (anon_vma && atomic_dec_and_lock(&anon_vma->migrate_refcount, &anon_vma->lock)) {
> + int empty = list_empty(&anon_vma->head);
> + spin_unlock(&anon_vma->lock);
> + if (empty)
> + anon_vma_free(anon_vma);
> + }
> ==
> If my understainding in above is correct, this "modify" freed anon_vma.
> Then, use-after-free happens. (In old implementation, there are no refcnt,
> so, there is no use-after-free ops.)
>
I agree.
Let's wait Mel's response.
>
> So, what I can think of now is a patch like following is necessary.
>
> ==
> static inline struct anon_vma *anon_vma_alloc(void)
> {
> struct anon_vma *anon_vma;
> anon_vma = kmem_cache_alloc(anon_vma_cachep, GFP_KERNEL);
> atomic_set(&anon_vma->refcnt, 1);
> }
>
> void anon_vma_free(struct anon_vma *anon_vma)
> {
> /*
> * This called when anon_vma is..
> * - anon_vma->vma_list becomes empty.
> * - incremetned refcnt while migration, ksm etc.. is dropped.
> * - allocated but unused.
> */
> if (atomic_dec_and_test(&anon_vma->refcnt))
> kmem_cache_free(anon_vma_cachep, anon_vma);
> }
> ==
> Then all things will go simple.
> Overhead is concern but list_empty() helps us much.
When they made things complicated without atomic_op,
there was reasonable reason, I think. :)
My opinion depends on you and server guys(Hugh, Rik, Andrea Arcangeli and so on)
>
> Thanks,
> -Kame
>
>
>
>
>
--
Kind regards,
Minchan Kim
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2010-03-15 7:11 UTC|newest]
Thread overview: 218+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-12 16:41 [PATCH 0/11] Memory Compaction v4 Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-12 16:41 ` [PATCH 01/11] mm,migration: Take a reference to the anon_vma before migrating Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-14 15:01 ` Minchan Kim
2010-03-14 15:01 ` Minchan Kim
2010-03-15 5:06 ` KAMEZAWA Hiroyuki
2010-03-15 5:06 ` KAMEZAWA Hiroyuki
2010-03-17 1:44 ` KOSAKI Motohiro
2010-03-17 1:44 ` KOSAKI Motohiro
2010-03-17 11:45 ` Mel Gorman
2010-03-17 11:45 ` Mel Gorman
2010-03-17 16:38 ` Christoph Lameter
2010-03-17 16:38 ` Christoph Lameter
2010-03-18 11:12 ` Mel Gorman
2010-03-18 11:12 ` Mel Gorman
2010-03-18 16:31 ` Christoph Lameter
2010-03-18 16:31 ` Christoph Lameter
2010-03-12 16:41 ` [PATCH 02/11] mm,migration: Do not try to migrate unmapped anonymous pages Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-15 0:28 ` Minchan Kim
2010-03-15 0:28 ` Minchan Kim
2010-03-15 5:34 ` KAMEZAWA Hiroyuki
2010-03-15 5:34 ` KAMEZAWA Hiroyuki
2010-03-15 6:28 ` Minchan Kim
2010-03-15 6:28 ` Minchan Kim
2010-03-15 6:44 ` KAMEZAWA Hiroyuki
2010-03-15 6:44 ` KAMEZAWA Hiroyuki
2010-03-15 7:09 ` KAMEZAWA Hiroyuki
2010-03-15 7:09 ` KAMEZAWA Hiroyuki
2010-03-15 13:48 ` Minchan Kim
2010-03-15 13:48 ` Minchan Kim
2010-03-15 7:11 ` Minchan Kim [this message]
2010-03-15 7:11 ` Minchan Kim
2010-03-15 11:28 ` Mel Gorman
2010-03-15 11:28 ` Mel Gorman
2010-03-15 12:48 ` Minchan Kim
2010-03-15 12:48 ` Minchan Kim
2010-03-15 14:21 ` Mel Gorman
2010-03-15 14:21 ` Mel Gorman
2010-03-15 14:33 ` Minchan Kim
2010-03-15 14:33 ` Minchan Kim
2010-03-15 23:49 ` KAMEZAWA Hiroyuki
2010-03-15 23:49 ` KAMEZAWA Hiroyuki
2010-03-17 2:12 ` KAMEZAWA Hiroyuki
2010-03-17 2:12 ` KAMEZAWA Hiroyuki
2010-03-17 3:00 ` Minchan Kim
2010-03-17 3:00 ` Minchan Kim
2010-03-17 3:15 ` KAMEZAWA Hiroyuki
2010-03-17 3:15 ` KAMEZAWA Hiroyuki
2010-03-17 4:15 ` Minchan Kim
2010-03-17 4:15 ` Minchan Kim
2010-03-17 4:19 ` KAMEZAWA Hiroyuki
2010-03-17 4:19 ` KAMEZAWA Hiroyuki
2010-03-17 16:41 ` Christoph Lameter
2010-03-17 16:41 ` Christoph Lameter
2010-03-18 0:30 ` KAMEZAWA Hiroyuki
2010-03-18 0:30 ` KAMEZAWA Hiroyuki
2010-03-17 12:07 ` Mel Gorman
2010-03-17 12:07 ` Mel Gorman
2010-03-17 2:03 ` KOSAKI Motohiro
2010-03-17 2:03 ` KOSAKI Motohiro
2010-03-17 11:51 ` Mel Gorman
2010-03-17 11:51 ` Mel Gorman
2010-03-18 0:48 ` KOSAKI Motohiro
2010-03-18 0:48 ` KOSAKI Motohiro
2010-03-18 11:14 ` Mel Gorman
2010-03-18 11:14 ` Mel Gorman
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-19 8:59 ` Mel Gorman
2010-03-19 8:59 ` Mel Gorman
2010-03-25 2:49 ` KOSAKI Motohiro
2010-03-25 2:49 ` KOSAKI Motohiro
2010-03-25 8:32 ` Mel Gorman
2010-03-25 8:32 ` Mel Gorman
2010-03-25 8:56 ` KOSAKI Motohiro
2010-03-25 8:56 ` KOSAKI Motohiro
2010-03-25 9:18 ` Mel Gorman
2010-03-25 9:18 ` Mel Gorman
2010-03-25 9:02 ` KAMEZAWA Hiroyuki
2010-03-25 9:02 ` KAMEZAWA Hiroyuki
2010-03-25 9:09 ` KOSAKI Motohiro
2010-03-25 9:09 ` KOSAKI Motohiro
2010-03-25 9:08 ` KAMEZAWA Hiroyuki
2010-03-25 9:08 ` KAMEZAWA Hiroyuki
2010-03-25 9:21 ` Mel Gorman
2010-03-25 9:21 ` Mel Gorman
2010-03-25 9:41 ` KAMEZAWA Hiroyuki
2010-03-25 9:41 ` KAMEZAWA Hiroyuki
2010-03-25 9:59 ` KOSAKI Motohiro
2010-03-25 9:59 ` KOSAKI Motohiro
2010-03-25 10:12 ` KAMEZAWA Hiroyuki
2010-03-25 10:12 ` KAMEZAWA Hiroyuki
2010-03-25 13:39 ` Mel Gorman
2010-03-25 13:39 ` Mel Gorman
2010-03-26 3:07 ` KOSAKI Motohiro
2010-03-26 3:07 ` KOSAKI Motohiro
2010-03-26 13:49 ` Mel Gorman
2010-03-26 13:49 ` Mel Gorman
2010-03-25 15:29 ` Minchan Kim
2010-03-25 15:29 ` Minchan Kim
2010-03-26 0:58 ` KAMEZAWA Hiroyuki
2010-03-26 0:58 ` KAMEZAWA Hiroyuki
2010-03-26 1:39 ` Minchan Kim
2010-03-26 1:39 ` Minchan Kim
2010-03-25 14:35 ` Christoph Lameter
2010-03-25 14:35 ` Christoph Lameter
2010-03-25 16:16 ` Minchan Kim
2010-03-25 16:16 ` Minchan Kim
2010-03-12 16:41 ` [PATCH 03/11] mm: Share the anon_vma ref counts between KSM and page migration Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-12 17:14 ` Rik van Riel
2010-03-12 17:14 ` Rik van Riel
2010-03-15 5:35 ` KAMEZAWA Hiroyuki
2010-03-15 5:35 ` KAMEZAWA Hiroyuki
2010-03-17 2:06 ` KOSAKI Motohiro
2010-03-17 2:06 ` KOSAKI Motohiro
2010-03-12 16:41 ` [PATCH 04/11] Allow CONFIG_MIGRATION to be set without CONFIG_NUMA or memory hot-remove Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-17 2:28 ` KOSAKI Motohiro
2010-03-17 2:28 ` KOSAKI Motohiro
2010-03-17 11:32 ` Mel Gorman
2010-03-17 11:32 ` Mel Gorman
2010-03-17 16:37 ` Christoph Lameter
2010-03-17 16:37 ` Christoph Lameter
2010-03-17 23:56 ` KOSAKI Motohiro
2010-03-17 23:56 ` KOSAKI Motohiro
2010-03-18 11:24 ` Mel Gorman
2010-03-18 11:24 ` Mel Gorman
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-19 10:16 ` Mel Gorman
2010-03-19 10:16 ` Mel Gorman
2010-03-25 3:28 ` KOSAKI Motohiro
2010-03-25 3:28 ` KOSAKI Motohiro
2010-03-12 16:41 ` [PATCH 05/11] Export unusable free space index via /proc/unusable_index Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-15 5:41 ` KAMEZAWA Hiroyuki
2010-03-15 5:41 ` KAMEZAWA Hiroyuki
2010-03-15 9:48 ` Mel Gorman
2010-03-15 9:48 ` Mel Gorman
2010-03-17 2:42 ` KOSAKI Motohiro
2010-03-17 2:42 ` KOSAKI Motohiro
2010-03-12 16:41 ` [PATCH 06/11] Export fragmentation index via /proc/extfrag_index Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-17 2:49 ` KOSAKI Motohiro
2010-03-17 2:49 ` KOSAKI Motohiro
2010-03-17 11:33 ` Mel Gorman
2010-03-17 11:33 ` Mel Gorman
2010-03-23 0:22 ` KOSAKI Motohiro
2010-03-23 0:22 ` KOSAKI Motohiro
2010-03-23 12:03 ` Mel Gorman
2010-03-23 12:03 ` Mel Gorman
2010-03-25 2:47 ` KOSAKI Motohiro
2010-03-25 2:47 ` KOSAKI Motohiro
2010-03-25 8:47 ` Mel Gorman
2010-03-25 8:47 ` Mel Gorman
2010-03-25 11:20 ` KOSAKI Motohiro
2010-03-25 11:20 ` KOSAKI Motohiro
2010-03-25 14:11 ` Mel Gorman
2010-03-25 14:11 ` Mel Gorman
2010-03-26 3:10 ` KOSAKI Motohiro
2010-03-26 3:10 ` KOSAKI Motohiro
2010-03-12 16:41 ` [PATCH 07/11] Memory compaction core Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-15 13:44 ` Minchan Kim
2010-03-15 13:44 ` Minchan Kim
2010-03-15 14:41 ` Mel Gorman
2010-03-15 14:41 ` Mel Gorman
2010-03-17 10:31 ` KOSAKI Motohiro
2010-03-17 10:31 ` KOSAKI Motohiro
2010-03-17 11:40 ` Mel Gorman
2010-03-17 11:40 ` Mel Gorman
2010-03-18 2:35 ` KOSAKI Motohiro
2010-03-18 2:35 ` KOSAKI Motohiro
2010-03-18 11:43 ` Mel Gorman
2010-03-18 11:43 ` Mel Gorman
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-18 17:08 ` Mel Gorman
2010-03-18 17:08 ` Mel Gorman
2010-03-12 16:41 ` [PATCH 08/11] Add /proc trigger for memory compaction Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-17 3:18 ` KOSAKI Motohiro
2010-03-17 3:18 ` KOSAKI Motohiro
2010-03-12 16:41 ` [PATCH 09/11] Add /sys trigger for per-node " Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-17 3:18 ` KOSAKI Motohiro
2010-03-17 3:18 ` KOSAKI Motohiro
2010-03-12 16:41 ` [PATCH 10/11] Direct compact when a high-order allocation fails Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-16 2:47 ` Minchan Kim
2010-03-16 2:47 ` Minchan Kim
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-19 6:21 ` KOSAKI Motohiro
2010-03-19 6:31 ` KOSAKI Motohiro
2010-03-19 6:31 ` KOSAKI Motohiro
2010-03-19 10:10 ` Mel Gorman
2010-03-19 10:10 ` Mel Gorman
2010-03-25 11:22 ` KOSAKI Motohiro
2010-03-25 11:22 ` KOSAKI Motohiro
2010-03-19 10:09 ` Mel Gorman
2010-03-19 10:09 ` Mel Gorman
2010-03-25 11:08 ` KOSAKI Motohiro
2010-03-25 11:08 ` KOSAKI Motohiro
2010-03-25 15:11 ` Mel Gorman
2010-03-25 15:11 ` Mel Gorman
2010-03-26 6:01 ` KOSAKI Motohiro
2010-03-26 6:01 ` KOSAKI Motohiro
2010-03-12 16:41 ` [PATCH 11/11] Do not compact within a preferred zone after a compaction failure Mel Gorman
2010-03-12 16:41 ` Mel Gorman
2010-03-23 12:25 [PATCH 0/11] Memory Compaction v5 Mel Gorman
2010-03-23 12:25 ` [PATCH 02/11] mm,migration: Do not try to migrate unmapped anonymous pages Mel Gorman
2010-03-23 12:25 ` Mel Gorman
2010-03-23 17:22 ` Christoph Lameter
2010-03-23 17:22 ` Christoph Lameter
2010-03-23 18:04 ` Mel Gorman
2010-03-23 18:04 ` Mel Gorman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28c262361003150011u4525f6aas9c47760bf9c8faef@mail.gmail.com \
--to=minchan.kim@gmail.com \
--cc=aarcange@redhat.com \
--cc=agl@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=avi@redhat.com \
--cc=cl@linux-foundation.org \
--cc=hugh.dickins@tiscali.co.uk \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mel@csn.ul.ie \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.