    ksm: fix conflict between mmput and scan_get_next_rmap_item · 7496fea9
    Zhou Chengming authored
    A concurrency issue about KSM in the function scan_get_next_rmap_item.
    task A (ksmd):				|task B (the mm's task):
    mm = slot->mm;				|
    down_read(&mm->mmap_sem);		|
    ...					|
    spin_lock(&ksm_mmlist_lock);		|
    ksm_scan.mm_slot go to the next slot;	|
    spin_unlock(&ksm_mmlist_lock);		|
    					|mmput() ->
    					|	ksm_exit():
    					|if (mm_slot && ksm_scan.mm_slot != mm_slot) {
    					|	if (!mm_slot->rmap_list) {
    					|		easy_to_free = 1;
    					|		...
    					|if (easy_to_free) {
    					|	mmdrop(mm);
    					|	...
    					|So this mm_struct may be freed in the mmput().
    up_read(&mm->mmap_sem);			|
    As we can see above, the ksmd thread may access a mm_struct that already
    been freed to the kmem_cache.  Suppose a fork will get this mm_struct from
    the kmem_cache, the ksmd thread then call up_read(&mm->mmap_sem), will
    cause mmap_sem.count to become -1.
    As suggested by Andrea Arcangeli, unmerge_and_remove_all_rmap_items has
    the same SMP race condition, so fix it too.  My prev fix in function
    scan_get_next_rmap_item will introduce a different SMP race condition, so
    just invert the up_read/spin_unlock order as Andrea Arcangeli said.
    Link: http://lkml.kernel.org/r/1462708815-31301-1-git-send-email-zhouchengming1@huawei.com
