diff options
| author | Hugh Dickins <hughd@google.com> | 2011-05-28 16:20:21 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-05-28 19:55:32 -0400 |
| commit | eee0f252c6537da2e883f75d22cff1427515eaf3 (patch) | |
| tree | 87ca6a49dd2d299b6cb4146ff3295bb625519b05 /mm/rmap.c | |
| parent | 5dbe0af47f8a8f968bac2991c3ec974c6e3eaabc (diff) | |
mm: fix page_lock_anon_vma leaving mutex locked
On one machine I've been getting hangs, a page fault's anon_vma_prepare()
waiting in anon_vma_lock(), other processes waiting for that page's lock.
This is a replay of last year's f18194275c39 "mm: fix hang on
anon_vma->root->lock".
The new page_lock_anon_vma() places too much faith in its refcount: when
it has acquired the mutex_trylock(), it's possible that a racing task in
anon_vma_alloc() has just reallocated the struct anon_vma, set refcount
to 1, and is about to reset its anon_vma->root.
Fix this by saving anon_vma->root, and relying on the usual page_mapped()
check instead of a refcount check: if page is still mapped, the anon_vma
is still ours; if page is not still mapped, we're no longer interested.
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm/rmap.c')
| -rw-r--r-- | mm/rmap.c | 13 |
1 files changed, 8 insertions, 5 deletions
| @@ -405,6 +405,7 @@ out: | |||
| 405 | struct anon_vma *page_lock_anon_vma(struct page *page) | 405 | struct anon_vma *page_lock_anon_vma(struct page *page) |
| 406 | { | 406 | { |
| 407 | struct anon_vma *anon_vma = NULL; | 407 | struct anon_vma *anon_vma = NULL; |
| 408 | struct anon_vma *root_anon_vma; | ||
| 408 | unsigned long anon_mapping; | 409 | unsigned long anon_mapping; |
| 409 | 410 | ||
| 410 | rcu_read_lock(); | 411 | rcu_read_lock(); |
| @@ -415,13 +416,15 @@ struct anon_vma *page_lock_anon_vma(struct page *page) | |||
| 415 | goto out; | 416 | goto out; |
| 416 | 417 | ||
| 417 | anon_vma = (struct anon_vma *) (anon_mapping - PAGE_MAPPING_ANON); | 418 | anon_vma = (struct anon_vma *) (anon_mapping - PAGE_MAPPING_ANON); |
| 418 | if (mutex_trylock(&anon_vma->root->mutex)) { | 419 | root_anon_vma = ACCESS_ONCE(anon_vma->root); |
| 420 | if (mutex_trylock(&root_anon_vma->mutex)) { | ||
| 419 | /* | 421 | /* |
| 420 | * If we observe a !0 refcount, then holding the lock ensures | 422 | * If the page is still mapped, then this anon_vma is still |
| 421 | * the anon_vma will not go away, see __put_anon_vma(). | 423 | * its anon_vma, and holding the mutex ensures that it will |
| 424 | * not go away, see __put_anon_vma(). | ||
| 422 | */ | 425 | */ |
| 423 | if (!atomic_read(&anon_vma->refcount)) { | 426 | if (!page_mapped(page)) { |
| 424 | anon_vma_unlock(anon_vma); | 427 | mutex_unlock(&root_anon_vma->mutex); |
| 425 | anon_vma = NULL; | 428 | anon_vma = NULL; |
| 426 | } | 429 | } |
| 427 | goto out; | 430 | goto out; |