From: Mel Gorman <mel@csn.ul.ie>
To: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Minchan Kim <minchan.kim@gmail.com>,
Christoph Lameter <cl@linux.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Rik van Riel <riel@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Peter Zijlstra <peterz@infradead.org>
Subject: Re: [PATCH 1/2] mm,migration: Prevent rmap_walk_[anon|ksm] seeing the wrong VMA information
Date: Fri, 7 May 2010 17:26:44 +0100 [thread overview]
Message-ID: <20100507162644.GD4859@csn.ul.ie> (raw)
In-Reply-To: <20100507095654.a8097967.kamezawa.hiroyu@jp.fujitsu.com>
On Fri, May 07, 2010 at 09:56:54AM +0900, KAMEZAWA Hiroyuki wrote:
> On Fri, 7 May 2010 00:20:52 +0100
> Mel Gorman <mel@csn.ul.ie> wrote:
>
> > vma_adjust() is updating anon VMA information without locks being taken.
> > In contrast, file-backed mappings use the i_mmap_lock and this lack of
> > locking can result in races with users of rmap_walk such as page migration.
> > vma_address() can return -EFAULT for an address that will soon be valid.
> > For migration, this potentially leaves a dangling migration PTE behind
> > which can later cause a BUG_ON to trigger when the page is faulted in.
> >
> > <SNIP>
>
> I'm sorry but I don't think I understand this. Could you help me ?
>
Hopefully.
> IIUC, anon_vma_chain is linked as 2D-mesh
>
> anon_vma1 anon_vma2 anon_vma3
> | | |
> vma1 ----- 1 -------- 2 --------- 3 -----
> | | |
> vma2 ----- 4 -------- 5 ---------- 6 -----
> | | |
> vma3 ----- 7 -------- 8 ---------- 9 -----
>
>
> Here,
> * vertical link is anon_vma->head, avc->same_anon_vma link.
> * horizontal link is vma->anon_vma_chain, avc->same_vma link.
> * 1-9 are avcs.
>
I don't think this is quite right for how the "root" anon_vma is
discovered. The ordering of same_vma is such that the prev pointer
points to the root anon_vma as described in __page_set_anon_rmap() but
even so...
> When scanning pages, we may see a page whose anon_vma is anon_vma1
> or anon_vma2 or anon_vma3.
>
When we are walking the list for the anon_vma, we also hold the page
lock and what we're really interested in are ptes mapping that page.
> When we see anon_vma3 in page->mapping, we lock anon_vma1 and chase
> avc1->avc4->avc7. Then, start from vma1. Next, we visit vma2, we lock anon_vma2.
> At the last, we visit vma3 and lock anon_vma3.....And all are done under
> anon_vma1->lock. Right ?
>
assuming it's the root lock, sure.
> Hmm, one concern is
> anon_vma3 -> avc3 -> vma1 -> avc1 -> anon_vma1 chasing.
>
> What will prevent vma1 disappear right after releasling anon_vma3->lock ?
>
What does it matter if it disappeared? If it did, it was because it was torn
down, the PTEs are also gone and a user of rmap_walk should have stopped
caring. Right?
> ex)
> a1) At we chase, anon_vma3 -> avc3 -> vma1 -> anon_vma1, link was following.
>
> anon_vma1 anon_vma2 anon_vma3
> | | |
> vma1 ----- 1 -------- 2 --------- 3 -----
> | | |
> vma2 ----- 4 -------- 5 ---------- 6 -----
> | | |
> vma3 ----- 7 -------- 8 ---------- 9 -----
>
> We hold lock on anon_vma3.
>
> a2) After releasing anon_vma3 lock. vma1 can be unlinked.
>
> anon_vma1 anon_vma2 anon_vma3
> | | |
> vma1 removed.
> | | |
> vma2 ----- 4 -------- 5 ---------- 6 -----
> | | |
> vma3 ----- 7 -------- 8 ---------- 9 -----
>
> But we know anon_vma1->head is not empty, and it's accessable.
> Then, no problem for our purpose. Right ?
>
As the PTEs are also gone, I'm not seeing the problem.
> b1) Another thinking.
>
> At we chase, anon_vma3 -> avc3 -> vma1 -> anon_vma1, link was following.
>
> anon_vma1 anon_vma2 anon_vma3
> | | |
> vma1 ----- 1 -------- 2 --------- 3 -----
> | | |
> vma2 ----- 4 -------- 5 ---------- 6 -----
> | | |
> vma3 ----- 7 -------- 8 ---------- 9 -----
>
> We hold lock on anon_vma3. So,
>
> anon_vma1 anon_vma2 anon_vma3
> | | |
> vma1 ----removed -----removed ------ 3 -----
> | | |
> vma2 ----- 4 -------- 5 ---------- 6 -----
> | | |
> vma3 ----- 7 -------- 8 ---------- 9 -----
>
> we may see half-broken link while we take anon_vma3->lock. In this case,
> anon_vma1 can be caugt.
>
> Don't we need this ?
>
>
> void unlink_anon_vmas(struct vm_area_struct *vma)
> {
> struct anon_vma_chain *avc, *next;
>
> /* Unlink each anon_vma chained to the VMA. */
> - list_for_each_entry_safe_reverse(avc, next, &vma->anon_vma_chain, same_vma) {
This was meant to be list_for_each_entry_safe(....)
> + list_for_each_entry_safe_reverse(avc, next, &vma->anon_vma_chain, same_vma) {
> anon_vma_unlink(avc);
> list_del(&avc->same_vma);
> anon_vma_chain_free(avc);
> }
> }
>
> head avc should be removed last... Hmm ? I'm sorry if all are
> in correct order already.
>
I think the ordering is ok. The rmap_walk may find a situation where the
anon_vmas are being cleaned up but again as the page tables are going
away at this point, the contents of the PTEs are no longer important.
--
Mel Gorman
Part-time Phd Student Linux Technology Center
University of Limerick IBM Dublin Software Lab
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2010-05-07 16:27 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-06 23:20 [PATCH 0/2] Fix migration races in rmap_walk() V7 Mel Gorman
2010-05-06 23:20 ` [PATCH 1/2] mm,migration: Prevent rmap_walk_[anon|ksm] seeing the wrong VMA information Mel Gorman
2010-05-07 0:56 ` KAMEZAWA Hiroyuki
2010-05-07 16:26 ` Mel Gorman [this message]
2010-05-08 15:39 ` Andrea Arcangeli
2010-05-08 17:02 ` Linus Torvalds
2010-05-08 18:04 ` Andrea Arcangeli
2010-05-08 19:51 ` Linus Torvalds
2010-05-09 19:23 ` Mel Gorman
2010-05-06 23:20 ` [PATCH 2/2] mm,migration: Fix race between shift_arg_pages and rmap_walk by guaranteeing rmap_walk finds PTEs created within the temporary stack Mel Gorman
2010-05-07 1:40 ` Linus Torvalds
2010-05-07 1:57 ` KAMEZAWA Hiroyuki
2010-05-07 2:12 ` Linus Torvalds
2010-05-07 4:19 ` KAMEZAWA Hiroyuki
2010-05-07 14:18 ` Linus Torvalds
2010-05-09 19:21 ` Mel Gorman
2010-05-09 19:56 ` Linus Torvalds
2010-05-09 20:06 ` Linus Torvalds
2010-05-09 20:20 ` Linus Torvalds
2010-05-10 0:40 ` KAMEZAWA Hiroyuki
2010-05-10 1:30 ` Linus Torvalds
2010-05-10 1:32 ` Linus Torvalds
2010-05-10 1:40 ` KAMEZAWA Hiroyuki
2010-05-10 1:49 ` Linus Torvalds
2010-05-10 13:24 ` Mel Gorman
2010-05-10 23:55 ` KAMEZAWA Hiroyuki
2010-05-10 0:42 ` KAMEZAWA Hiroyuki
2010-05-10 14:02 ` Mel Gorman
2010-05-10 13:49 ` Mel Gorman
2010-05-10 0:32 ` KAMEZAWA Hiroyuki
2010-05-07 9:16 ` Mel Gorman
2010-05-07 8:13 ` [PATCH 0/2] Fix migration races in rmap_walk() V7 KAMEZAWA Hiroyuki
-- strict thread matches above, loose matches on Subject: below --
2010-05-06 15:33 [PATCH 0/2] Fix migration races in rmap_walk() V6 Mel Gorman
2010-05-06 15:33 ` [PATCH 1/2] mm,migration: Prevent rmap_walk_[anon|ksm] seeing the wrong VMA information Mel Gorman
2010-05-06 15:44 ` Rik van Riel
2010-05-06 15:51 ` Mel Gorman
2010-05-06 15:59 ` Linus Torvalds
2010-05-06 17:07 ` Mel Gorman
2010-05-05 13:14 [PATCH 0/2] Fix migration races in rmap_walk() V5 Mel Gorman
2010-05-05 13:14 ` [PATCH 1/2] mm,migration: Prevent rmap_walk_[anon|ksm] seeing the wrong VMA information Mel Gorman
2010-05-05 14:34 ` Linus Torvalds
2010-05-05 14:56 ` Mel Gorman
2010-05-05 15:31 ` Linus Torvalds
2010-05-05 15:54 ` Mel Gorman
2010-05-05 16:13 ` Andrea Arcangeli
2010-05-05 19:11 ` Peter Zijlstra
2010-05-05 19:57 ` Andrea Arcangeli
2010-05-21 0:27 ` Andrea Arcangeli
2010-05-06 10:37 ` Mel Gorman
2010-05-05 17:34 ` Linus Torvalds
2010-05-05 17:57 ` Linus Torvalds
2010-05-05 18:14 ` Mel Gorman
2010-05-05 18:34 ` Linus Torvalds
2010-05-06 11:03 ` Mel Gorman
2010-05-06 13:40 ` Rik van Riel
2010-05-06 13:45 ` Mel Gorman
2010-05-05 17:53 ` Mel Gorman
2010-05-05 18:02 ` Linus Torvalds
2010-05-05 18:17 ` Mel Gorman
2010-05-06 0:22 ` Mel Gorman
2010-05-06 0:42 ` Linus Torvalds
2010-05-06 10:02 ` Mel Gorman
2010-05-06 14:15 ` Linus Torvalds
2010-05-06 14:25 ` Mel Gorman
2010-05-06 9:47 ` Minchan Kim
2010-05-06 9:54 ` Mel Gorman
2010-05-06 10:01 ` Minchan Kim
2010-05-06 10:10 ` Mel Gorman
2010-05-06 14:06 ` Linus Torvalds
2010-05-06 15:59 ` Minchan Kim
2010-05-06 7:38 ` KAMEZAWA Hiroyuki
2010-05-06 9:46 ` Mel Gorman
2010-05-06 23:52 ` KAMEZAWA Hiroyuki
2010-05-07 5:49 ` KAMEZAWA Hiroyuki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100507162644.GD4859@csn.ul.ie \
--to=mel@csn.ul.ie \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=minchan.kim@gmail.com \
--cc=peterz@infradead.org \
--cc=riel@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).