[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2.4.14 + Bug in swap_out.

To: Linus Torvalds <torvalds@transmeta.com>, <linux-mm@kvack.org>,<linux-kernel@vger.kernel.org>
Subject: 2.4.14 + Bug in swap_out.
From: ebiederm@xmission.com (Eric W. Biederman)
Date: 20 Nov 2001 23:01:06 -0700
Fake-Sender: owner-linux-mm@kvack.org
Original-Recipient: rfc822;linux-mm-archive@humbolt.geo.uu.nl
Sender: Rik van Riel <riel@nl.linux.org>
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1

In swap_out we have the following code:

	spin_lock(&mmlist_lock);
	mm = swap_mm;
	while (mm->swap_address == TASK_SIZE || mm == &init_mm) {
		mm->swap_address = 0;
		mm = list_entry(mm->mmlist.next, struct mm_struct, mmlist);
		if (mm == swap_mm)
			goto empty;
		swap_mm = mm;
	}

	/* Make sure the mm doesn't disappear when we drop the lock.. */
	atomic_inc(&mm->mm_users);
	spin_unlock(&mmlist_lock);

	nr_pages = swap_out_mm(mm, nr_pages, &counter, classzone);

	mmput(mm);


And looking in fork.c mmput under with right circumstances becomes.
kmem_cache_free(mm_cachep, (mm)))

So it appears that there is nothing that keeps the mm_struct that
swap_mm points to as being valid. 

I guess the easy fix would be to increment the count on swap_mm,
and then do an mmput we assign something else to the value of swap_mm.  But
I don't know if that is what we want.

Thoughts?

Eric








--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/

Follow-Ups:
- Re: 2.4.14 + Bug in swap_out.
  - From: "David S. Miller" <davem@redhat.com>
- Re: 2.4.14 + Bug in swap_out.
  - From: Rik van Riel <riel@conectiva.com.br>

Prev by Date: RE: kupdated high load with heavy disk I/O
Next by Date: Re: 2.4.14 + Bug in swap_out.
Prev by thread: help with highmem
Next by thread: Re: 2.4.14 + Bug in swap_out.
Index(es):
- Date
- Thread