diff options
author | Hugh Dickins <hugh@veritas.com> | 2009-01-06 17:39:37 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-01-06 18:59:03 -0500 |
commit | 68bdc8d64742ccc5e340c5d122ebbab3f0cf2a74 (patch) | |
tree | 1187bba5722e99f00dbba555f17026c63b0b88f9 /mm | |
parent | a2c43eed8334e878702fca713b212ae2a11d84b9 (diff) |
mm: try_to_unuse check removing right swap
There's a possible race in try_to_unuse() which Nick Piggin led me to two
years ago. Where it does lock_page() after read_swap_cache_async(), what
if another task removed that page from swapcache just before we locked it?
It would sail though the (*swap_map > 1) tests doing nothing (because it
could not have been removed from swapcache before its swap references were
gone), until it reaches the delete_from_swap_cache(page) near the bottom.
Now imagine that this page has been allocated to swap on a different swap
area while we dropped page lock (perhaps at the top, perhaps in unuse_mm):
we could wrongly remove from swap cache before the page has been written
to swap, so a subsequent do_swap_page() would read in stale data from
swap.
I think this case could not happen before: remove_exclusive_swap_page()
refused while page count was raised. But now with reuse_swap_page() and
try_to_free_swap() removing from swap cache without minding page count, I
think it could happen - the previous patch argued that it was safe because
try_to_unuse() already ignored page count, but overlooked that it might be
breaking the assumptions in try_to_unuse() itself.
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Robin Holt <holt@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'mm')
-rw-r--r-- | mm/swapfile.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/mm/swapfile.c b/mm/swapfile.c index f43601827607..9ce7f81c8abc 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c | |||
@@ -889,7 +889,16 @@ static int try_to_unuse(unsigned int type) | |||
889 | lock_page(page); | 889 | lock_page(page); |
890 | wait_on_page_writeback(page); | 890 | wait_on_page_writeback(page); |
891 | } | 891 | } |
892 | if (PageSwapCache(page)) | 892 | |
893 | /* | ||
894 | * It is conceivable that a racing task removed this page from | ||
895 | * swap cache just before we acquired the page lock at the top, | ||
896 | * or while we dropped it in unuse_mm(). The page might even | ||
897 | * be back in swap cache on another swap area: that we must not | ||
898 | * delete, since it may not have been written out to swap yet. | ||
899 | */ | ||
900 | if (PageSwapCache(page) && | ||
901 | likely(page_private(page) == entry.val)) | ||
893 | delete_from_swap_cache(page); | 902 | delete_from_swap_cache(page); |
894 | 903 | ||
895 | /* | 904 | /* |