提交 9f9f1acd 编写于 作者: K Konstantin Khlebnikov 提交者: Linus Torvalds

mm: fix rss count leakage during migration

Memory migration fills a pte with a migration entry and it doesn't
update the rss counters.  Then it replaces the migration entry with the
new page (or the old one if migration failed).  But between these two
passes this pte can be unmaped, or a task can fork a child and it will
get a copy of this migration entry.  Nobody accounts for this in the rss
counters.

This patch properly adjust rss counters for migration entries in
zap_pte_range() and copy_one_pte().  Thus we avoid extra atomic
operations on the migration fast-path.
Signed-off-by: NKonstantin Khlebnikov <khlebnikov@openvz.org>
Cc: Hugh Dickins <hughd@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 24513264
...@@ -878,17 +878,26 @@ copy_one_pte(struct mm_struct *dst_mm, struct mm_struct *src_mm, ...@@ -878,17 +878,26 @@ copy_one_pte(struct mm_struct *dst_mm, struct mm_struct *src_mm,
} }
if (likely(!non_swap_entry(entry))) if (likely(!non_swap_entry(entry)))
rss[MM_SWAPENTS]++; rss[MM_SWAPENTS]++;
else if (is_write_migration_entry(entry) && else if (is_migration_entry(entry)) {
page = migration_entry_to_page(entry);
if (PageAnon(page))
rss[MM_ANONPAGES]++;
else
rss[MM_FILEPAGES]++;
if (is_write_migration_entry(entry) &&
is_cow_mapping(vm_flags)) { is_cow_mapping(vm_flags)) {
/* /*
* COW mappings require pages in both parent * COW mappings require pages in both
* and child to be set to read. * parent and child to be set to read.
*/ */
make_migration_entry_read(&entry); make_migration_entry_read(&entry);
pte = swp_entry_to_pte(entry); pte = swp_entry_to_pte(entry);
set_pte_at(src_mm, addr, src_pte, pte); set_pte_at(src_mm, addr, src_pte, pte);
} }
} }
}
goto out_set_pte; goto out_set_pte;
} }
...@@ -1191,6 +1200,16 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, ...@@ -1191,6 +1200,16 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb,
if (!non_swap_entry(entry)) if (!non_swap_entry(entry))
rss[MM_SWAPENTS]--; rss[MM_SWAPENTS]--;
else if (is_migration_entry(entry)) {
struct page *page;
page = migration_entry_to_page(entry);
if (PageAnon(page))
rss[MM_ANONPAGES]--;
else
rss[MM_FILEPAGES]--;
}
if (unlikely(!free_swap_and_cache(entry))) if (unlikely(!free_swap_and_cache(entry)))
print_bad_pte(vma, addr, ptent, NULL); print_bad_pte(vma, addr, ptent, NULL);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册