Re: [PATCH] fix swapin race condition

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andrea Arcangeli <aarcange@redhat.com>
To: Hugh Dickins <hughd@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Greg KH <greg@kroah.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Rik van Riel <riel@redhat.com>,
	linux-mm@kvack.org
Subject: Re: [PATCH] fix swapin race condition
Date: Thu, 16 Sep 2010 23:03:49 +0200	[thread overview]
Message-ID: <20100916210349.GU5981@random.random> (raw)
In-Reply-To: <alpine.DEB.2.00.1009151703060.7332@tigran.mtv.corp.google.com>

Hi Hugh,

On Wed, Sep 15, 2010 at 05:10:36PM -0700, Hugh Dickins wrote:
> I agree that if my scenario happened on its own, the pte_same check
> would catch it.  But if my scenario happens along with your scenario
> (and I'm thinking that the combination is not that much less likely
> than either alone), then the PageSwapCache test will succeed and the
> pte_same test will succeed, but we're still putting the wrong page into
> the pte, since this page is now represented by a different swap entry
> (and the page that should be there by our original swap entry).

If I understood well you're saying that it is possible that this
BUG_ON triggers:

   page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
   BUG_ON(page_private(page) != entry.val && pte_same(page_table, orig_pte));
   if (unlikely(!pte_same(*page_table, orig_pte)))

I still don't get it (that doesn't make me right though).

I'll try to rephrase my argument: if the page was swapped in from
swapcache by swapoff and then swapon runs again and the page is added
to swapcache to a different swap entry, in between the
lookup_swap_cache and the lock_page, the pte_same(*page_table,
orig_pte) in pte_same should always fail in the first place (so
without requiring the page_private(page) != entry.val check).

If the page is found mapped during pte_same the pte_same check will
fail (pte_present first of all). If the page got unmapped and
page_private(page) != entry.val, the "entry" == "orig_pte" will be
different to what we read in *page_table at the above BUG_ON line (the
page has to be unmapped before pte_same check can succeed, but if gets
unmapped the new swap entry will be written in the page_table and it
won't risk to succeed the pte_same check).

If the page wasn't mapped when it was removed from swapcache, it can't
be added to swapcache at all because it was pinned: because only free
pages (during swapin) or mapped pages (during swapout) can be added to
swapcache.

If I'm missing something a trace of the exact scenario would help to
clarify your point.

Thanks!
Andrea

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2010-09-16 21:03 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-03 15:39 [PATCH] fix swapin race condition Andrea Arcangeli
2010-09-03 20:02 ` Andrew Morton
2010-09-04 12:29   ` Andrea Arcangeli
2010-09-03 23:57 ` Rik van Riel
2010-09-06  2:35 ` Hugh Dickins
2010-09-15 23:02   ` Hugh Dickins
2010-09-15 23:42     ` Andrea Arcangeli
2010-09-16  0:10       ` Hugh Dickins
2010-09-16 21:03         ` Andrea Arcangeli [this message]
2010-09-16 21:08           ` Andrea Arcangeli
2010-09-17  2:31           ` Hugh Dickins
2010-09-18 13:19             ` Andrea Arcangeli
2010-09-20  2:35               ` Hugh Dickins
2010-09-20  2:40                 ` [PATCH] mm: further " Hugh Dickins
2010-09-20  2:40                   ` Hugh Dickins
2010-09-20  3:09                   ` Rik van Riel
2010-09-20  3:09                     ` Rik van Riel
  -- strict thread matches above, loose matches on Subject: below --
2010-07-09  0:23 [PATCH] " Andrea Arcangeli
2010-07-09 20:32 ` Hugh Dickins
2010-07-09 21:19   ` Hugh Dickins
2010-07-09 22:02   ` Rik van Riel
2010-07-13  1:08   ` Andrea Arcangeli
2010-07-13 21:30     ` Hugh Dickins

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100916210349.GU5981@random.random \
    --to=aarcange@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=greg@kroah.com \
    --cc=hughd@google.com \
    --cc=linux-mm@kvack.org \
    --cc=riel@redhat.com \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.