Re: [PATCH -v2] rmap: make anon_vma_prepare link in all the anon_vmasof a mergeable VMA
From: Rik van Riel
Date: Sat Apr 10 2010 - 15:38:10 EST
On 04/10/2010 02:21 PM, Linus Torvalds wrote:
Maybe I'm crazy, but something started bothering me. And I started
wondering: when is the 'page->mapping' of an anonymous page actually
cleared?
The thing is, the mapping of an anonymous page is actually cleared only
when the page is _freed_, in "free_hot_cold_page()".
Which is also where they are removed from the LRU.
The plot thickens...
Now, let's think about that. And in particular, let's think about how that
relates to the freeing of the 'anon_vma' that the page->mapping points to.
The way the anon_vma is freed is when the mapping is torn down, and we do
roughly:
tlb = tlb_gather_mmu(mm,..)
..
unmap_vmas(&tlb, vma ..
..
free_pgtables()
..
tlb_finish_mmu(tlb, start, end);
Looks like we should move the anon_vma freeing from free_pgtables
over to remove_vma?
This code is just below the tlb_finish_mmu in exit_mmap:
/*
* Walk the list again, actually closing and freeing it,
* with preemption enabled, without holding any MM locks.
*/
while (vma)
vma = remove_vma(vma);
This comment in free_pgtables is a little suspect:
/*
* Hide vma from rmap and truncate_pagecache before freeing
* pgtables
*/
unlink_anon_vmas(vma);
unlink_file_vma(vma);
After all, the rmap code will quickly notice that there either are
no page tables, or the page tables no longer have anything in them.
It looks like we may have had this use-after-free bug in the VM for
quite a while... I am not entirely sure what exposed the bug, but
I can see how it works.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/