2 files changed, 31 insertions, 28 deletions
diff --git a/mm/migrate.c b/mm/migrate.c
index 34132f8e910..e4a5c912983 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -721,15 +721,11 @@ static int unmap_and_move(new_page_t get_new_page, unsigned long private,
                 * Only page_lock_anon_vma() understands the subtleties of
                 * getting a hold on an anon_vma from outside one of its mms.
                 */
-                anon_vma = page_lock_anon_vma(page);
+                anon_vma = page_get_anon_vma(page);
                if (anon_vma) {
                        /*
-                         * Take a reference count on the anon_vma if the
+                         * Anon page
-                         * page is mapped so that it is guaranteed to
-                         * exist when the page is remapped later
                         */
-                        get_anon_vma(anon_vma);
-                        page_unlock_anon_vma(anon_vma);
                } else if (PageSwapCache(page)) {
                        /*
                         * We cannot be sure that the anon_vma of an unmapped
@@ -857,13 +853,8 @@ static int unmap_and_move_huge_page(new_page_t get_new_page,
                lock_page(hpage);
        }
-        if (PageAnon(hpage)) {
+        if (PageAnon(hpage))
-                anon_vma = page_lock_anon_vma(hpage);
+                anon_vma = page_get_anon_vma(hpage);
-                if (anon_vma) {
-                        get_anon_vma(anon_vma);
-                        page_unlock_anon_vma(anon_vma);
-                }
-        }
        try_to_unmap(hpage, TTU_MIGRATION|TTU_IGNORE_MLOCK|TTU_IGNORE_ACCESS);
diff --git a/mm/rmap.c b/mm/rmap.c
index cc140811af5..d271845d7d1 100644
--- a/mm/rmap.c
+++ b/mm/rmap.c
@@ -337,9 +337,9 @@ void __init anon_vma_init(void)
 * that the anon_vma pointer from page->mapping is valid if there is a
 * mapcount, we can dereference the anon_vma after observing those.
 */
-struct anon_vma *page_lock_anon_vma(struct page *page)
+struct anon_vma *page_get_anon_vma(struct page *page)
 {
-        struct anon_vma *anon_vma, *root_anon_vma;
+        struct anon_vma *anon_vma = NULL;
        unsigned long anon_mapping;
        rcu_read_lock();
@@ -350,30 +350,42 @@ struct anon_vma *page_lock_anon_vma(struct page *page)
                goto out;
        anon_vma = (struct anon_vma *) (anon_mapping - PAGE_MAPPING_ANON);
-        root_anon_vma = ACCESS_ONCE(anon_vma->root);
+        if (!atomic_inc_not_zero(&anon_vma->refcount)) {
-        spin_lock(&root_anon_vma->lock);
+                anon_vma = NULL;
+                goto out;
+        }
        /*
         * If this page is still mapped, then its anon_vma cannot have been
-         * freed.  But if it has been unmapped, we have no security against
+         * freed.  But if it has been unmapped, we have no security against the
-         * the anon_vma structure being freed and reused (for another anon_vma:
+         * anon_vma structure being freed and reused (for another anon_vma:
-         * SLAB_DESTROY_BY_RCU guarantees that - so the spin_lock above cannot
+         * SLAB_DESTROY_BY_RCU guarantees that - so the atomic_inc_not_zero()
-         * corrupt): with anon_vma_prepare() or anon_vma_fork() redirecting
+         * above cannot corrupt).
-         * anon_vma->root before page_unlock_anon_vma() is called to unlock.
         */
-        if (page_mapped(page))
+        if (!page_mapped(page)) {
-                return anon_vma;
+                put_anon_vma(anon_vma);
+                anon_vma = NULL;
-        spin_unlock(&root_anon_vma->lock);
+        }
 out:
        rcu_read_unlock();
-        return NULL;
+        return anon_vma;
+}
+struct anon_vma *page_lock_anon_vma(struct page *page)
+{
+        struct anon_vma *anon_vma = page_get_anon_vma(page);
+        if (anon_vma)
+                anon_vma_lock(anon_vma);
+        return anon_vma;
 }
 void page_unlock_anon_vma(struct anon_vma *anon_vma)
 {
        anon_vma_unlock(anon_vma);
-        rcu_read_unlock();
+        put_anon_vma(anon_vma);
 }
 /*

diff --git a/mm/migrate.c b/mm/migrate.c index 34132f8e910..e4a5c912983 100644 --- a/mm/migrate.c +++ b/mm/migrate.c
@@ -721,15 +721,11 @@ static int unmap_and_move(new_page_t get_new_page, unsigned long private,
721	* Only page_lock_anon_vma() understands the subtleties of	721	* Only page_lock_anon_vma() understands the subtleties of
722	* getting a hold on an anon_vma from outside one of its mms.	722	* getting a hold on an anon_vma from outside one of its mms.
723	*/	723	*/
724	anon_vma = page_lock_anon_vma(page);	724	anon_vma = page_get_anon_vma(page);
725	if (anon_vma) {	725	if (anon_vma) {
726	/*	726	/*
727	* Take a reference count on the anon_vma if the	727	* Anon page
728	* page is mapped so that it is guaranteed to
729	* exist when the page is remapped later
730	*/	728	*/
731	get_anon_vma(anon_vma);
732	page_unlock_anon_vma(anon_vma);
733	} else if (PageSwapCache(page)) {	729	} else if (PageSwapCache(page)) {
734	/*	730	/*
735	* We cannot be sure that the anon_vma of an unmapped	731	* We cannot be sure that the anon_vma of an unmapped
@@ -857,13 +853,8 @@ static int unmap_and_move_huge_page(new_page_t get_new_page,
857	lock_page(hpage);	853	lock_page(hpage);
858	}	854	}
859		855
860	if (PageAnon(hpage)) {	856	if (PageAnon(hpage))
861	anon_vma = page_lock_anon_vma(hpage);	857	anon_vma = page_get_anon_vma(hpage);
862	if (anon_vma) {
863	get_anon_vma(anon_vma);
864	page_unlock_anon_vma(anon_vma);
865	}
866	}
867		858
868	try_to_unmap(hpage, TTU_MIGRATION\|TTU_IGNORE_MLOCK\|TTU_IGNORE_ACCESS);	859	try_to_unmap(hpage, TTU_MIGRATION\|TTU_IGNORE_MLOCK\|TTU_IGNORE_ACCESS);
869		860


diff --git a/mm/rmap.c b/mm/rmap.c index cc140811af5..d271845d7d1 100644 --- a/mm/rmap.c +++ b/mm/rmap.c
@@ -337,9 +337,9 @@ void __init anon_vma_init(void)
337	* that the anon_vma pointer from page->mapping is valid if there is a	337	* that the anon_vma pointer from page->mapping is valid if there is a
338	* mapcount, we can dereference the anon_vma after observing those.	338	* mapcount, we can dereference the anon_vma after observing those.
339	*/	339	*/
340	struct anon_vma page_lock_anon_vma(struct page page)	340	struct anon_vma page_get_anon_vma(struct page page)
341	{	341	{
342	struct anon_vma anon_vma, root_anon_vma;	342	struct anon_vma *anon_vma = NULL;
343	unsigned long anon_mapping;	343	unsigned long anon_mapping;
344		344
345	rcu_read_lock();	345	rcu_read_lock();
@@ -350,30 +350,42 @@ struct anon_vma page_lock_anon_vma(struct page page)
350	goto out;	350	goto out;
351		351
352	anon_vma = (struct anon_vma *) (anon_mapping - PAGE_MAPPING_ANON);	352	anon_vma = (struct anon_vma *) (anon_mapping - PAGE_MAPPING_ANON);
353	root_anon_vma = ACCESS_ONCE(anon_vma->root);	353	if (!atomic_inc_not_zero(&anon_vma->refcount)) {
354	spin_lock(&root_anon_vma->lock);	354	anon_vma = NULL;
		355	goto out;
		356	}
355		357
356	/*	358	/*
357	* If this page is still mapped, then its anon_vma cannot have been	359	* If this page is still mapped, then its anon_vma cannot have been
358	* freed. But if it has been unmapped, we have no security against	360	* freed. But if it has been unmapped, we have no security against the
359	* the anon_vma structure being freed and reused (for another anon_vma:	361	* anon_vma structure being freed and reused (for another anon_vma:
360	* SLAB_DESTROY_BY_RCU guarantees that - so the spin_lock above cannot	362	* SLAB_DESTROY_BY_RCU guarantees that - so the atomic_inc_not_zero()
361	* corrupt): with anon_vma_prepare() or anon_vma_fork() redirecting	363	* above cannot corrupt).
362	* anon_vma->root before page_unlock_anon_vma() is called to unlock.
363	*/	364	*/
364	if (page_mapped(page))	365	if (!page_mapped(page)) {
365	return anon_vma;	366	put_anon_vma(anon_vma);
366		367	anon_vma = NULL;
367	spin_unlock(&root_anon_vma->lock);	368	}
368	out:	369	out:
369	rcu_read_unlock();	370	rcu_read_unlock();
370	return NULL;	371
		372	return anon_vma;
		373	}
		374
		375	struct anon_vma page_lock_anon_vma(struct page page)
		376	{
		377	struct anon_vma *anon_vma = page_get_anon_vma(page);
		378
		379	if (anon_vma)
		380	anon_vma_lock(anon_vma);
		381
		382	return anon_vma;
371	}	383	}
372		384
373	void page_unlock_anon_vma(struct anon_vma *anon_vma)	385	void page_unlock_anon_vma(struct anon_vma *anon_vma)
374	{	386	{
375	anon_vma_unlock(anon_vma);	387	anon_vma_unlock(anon_vma);
376	rcu_read_unlock();	388	put_anon_vma(anon_vma);
377	}	389	}
378		390
379	/*	391	/*