diff options
| author | Andrea Arcangeli <aarcange@redhat.com> | 2010-08-02 20:40:50 +0200 |
|---|---|---|
| committer | Andrea Arcangeli <aarcange@redhat.com> | 2010-08-02 18:43:05 +0000 |
| commit | f4eb8f44296052a3d449db48e9ff1c2449a9587c (patch) | |
| tree | e0683bbec206d0d23fc1ef4f0d18fc4048e66686 /mm/memory.c | |
| parent | bc6b943eb908fe0766498a6e00b605f64f57b829 (diff) | |
fix swapin race condition
The pte_same check is reliable only if the swap entry remains pinned
(by the page lock on swapcache). We've also to ensure the swapcache
isn't removed before we take the lock as try_to_free_swap won't care
about the page pin.
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Diffstat (limited to 'mm/memory.c')
| -rw-r--r-- | mm/memory.c | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/mm/memory.c b/mm/memory.c index 5756a002f9ab..8684f1aa5cb4 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2626,7 +2626,7 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, unsigned int flags, pte_t orig_pte) { spinlock_t *ptl; - struct page *page; + struct page *page, *swapcache = NULL; swp_entry_t entry; pte_t pte; struct mem_cgroup *ptr = NULL; @@ -2682,10 +2682,23 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, lock_page(page); delayacct_clear_flag(DELAYACCT_PF_SWAPIN); - page = ksm_might_need_to_copy(page, vma, address); - if (!page) { - ret = VM_FAULT_OOM; - goto out; + /* + * Make sure try_to_free_swap didn't release the swapcache + * from under us. The page pin isn't enough to prevent that. + */ + if (unlikely(!PageSwapCache(page))) + goto out_page; + + if (ksm_might_need_to_copy(page, vma, address)) { + swapcache = page; + page = ksm_does_need_to_copy(page, vma, address); + + if (unlikely(!page)) { + ret = VM_FAULT_OOM; + page = swapcache; + swapcache = NULL; + goto out_page; + } } if (mem_cgroup_try_charge_swapin(mm, page, GFP_KERNEL, &ptr)) { @@ -2738,6 +2751,18 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma, if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page)) try_to_free_swap(page); unlock_page(page); + if (swapcache) { + /* + * Hold the lock to avoid the swap entry to be reused + * until we take the PT lock for the pte_same() check + * (to avoid false positives from pte_same). For + * further safety release the lock after the swap_free + * so that the swap count won't change under a + * parallel locked swapcache. + */ + unlock_page(swapcache); + page_cache_release(swapcache); + } if (flags & FAULT_FLAG_WRITE) { ret |= do_wp_page(mm, vma, address, page_table, pmd, ptl, pte); @@ -2759,6 +2784,10 @@ out_page: unlock_page(page); out_release: page_cache_release(page); + if (swapcache) { + unlock_page(swapcache); + page_cache_release(swapcache); + } return ret; } |