[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.4 / mm-fix-migration-hangs-on-anon_vma-lock.patch

From 1ce82b69e96c838d007f316b8347b911fdfa9842 Mon Sep 17 00:00:00 2001
From: Hugh Dickins <hughd@google.com>
Date: Thu, 13 Jan 2011 15:47:30 -0800
Subject: mm: fix migration hangs on anon_vma lock

From: Hugh Dickins <hughd@google.com>

commit 1ce82b69e96c838d007f316b8347b911fdfa9842 upstream.

Increased usage of page migration in mmotm reveals that the anon_vma
locking in unmap_and_move() has been deficient since 2.6.36 (or even
earlier).  Review at the time of f18194275c39835cb84563500995e0d503a32d9a
("mm: fix hang on anon_vma->root->lock") missed the issue here: the
anon_vma to which we get a reference may already have been freed back to
its slab (it is in use when we check page_mapped, but that can change),
and so its anon_vma->root may be switched at any moment by reuse in
anon_vma_prepare.

Perhaps we could fix that with a get_anon_vma_unless_zero(), but let's
not: just rely on page_lock_anon_vma() to do all the hard thinking for us,
then we don't need any rcu read locking over here.

In removing the rcu_unlock label: since PageAnon is a bit in
page->mapping, it's impossible for a !page->mapping page to be anon; but
insert VM_BUG_ON in case the implementation ever changes.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Mel Gorman <mel@csn.ul.ie>
Reviewed-by: Rik van Riel <riel@redhat.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Jun'ichi Nomura" <j-nomura@ce.jp.nec.com>
Cc: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 mm/migrate.c |   48 +++++++++++++++++++-----------------------------
 1 file changed, 19 insertions(+), 29 deletions(-)

--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -553,7 +553,6 @@ static int unmap_and_move(new_page_t get
 	int *result = NULL;
 	struct page *newpage = get_new_page(page, private, &result);
 	int remap_swapcache = 1;
-	int rcu_locked = 0;
 	int charge = 0;
 	struct mem_cgroup *mem = NULL;
 	struct anon_vma *anon_vma = NULL;
@@ -605,20 +604,26 @@ static int unmap_and_move(new_page_t get
 	/*
 	 * By try_to_unmap(), page->mapcount goes down to 0 here. In this case,
 	 * we cannot notice that anon_vma is freed while we migrates a page.
-	 * This rcu_read_lock() delays freeing anon_vma pointer until the end
+	 * This get_anon_vma() delays freeing anon_vma pointer until the end
 	 * of migration. File cache pages are no problem because of page_lock()
 	 * File Caches may use write_page() or lock_page() in migration, then,
 	 * just care Anon page here.
 	 */
 	if (PageAnon(page)) {
-		rcu_read_lock();
-		rcu_locked = 1;
-
-		/* Determine how to safely use anon_vma */
-		if (!page_mapped(page)) {
-			if (!PageSwapCache(page))
-				goto rcu_unlock;
-
+		/*
+		 * Only page_lock_anon_vma() understands the subtleties of
+		 * getting a hold on an anon_vma from outside one of its mms.
+		 */
+		anon_vma = page_lock_anon_vma(page);
+		if (anon_vma) {
+			/*
+			 * Take a reference count on the anon_vma if the
+			 * page is mapped so that it is guaranteed to
+			 * exist when the page is remapped later
+			 */
+			get_anon_vma(anon_vma);
+			page_unlock_anon_vma(anon_vma);
+		} else if (PageSwapCache(page)) {
 			/*
 			 * We cannot be sure that the anon_vma of an unmapped
 			 * swapcache page is safe to use because we don't
@@ -633,13 +638,7 @@ static int unmap_and_move(new_page_t get
 			 */
 			remap_swapcache = 0;
 		} else {
-			/*
-			 * Take a reference count on the anon_vma if the
-			 * page is mapped so that it is guaranteed to
-			 * exist when the page is remapped later
-			 */
-			anon_vma = page_anon_vma(page);
-			get_anon_vma(anon_vma);
+			goto uncharge;
 		}
 	}
 
@@ -656,16 +655,10 @@ static int unmap_and_move(new_page_t get
 	 * free the metadata, so the page can be freed.
 	 */
 	if (!page->mapping) {
-		if (!PageAnon(page) && page_has_private(page)) {
-			/*
-			 * Go direct to try_to_free_buffers() here because
-			 * a) that's what try_to_release_page() would do anyway
-			 * b) we may be under rcu_read_lock() here, so we can't
-			 *    use GFP_KERNEL which is what try_to_release_page()
-			 *    needs to be effective.
-			 */
+		VM_BUG_ON(PageAnon(page));
+		if (page_has_private(page)) {
 			try_to_free_buffers(page);
-			goto rcu_unlock;
+			goto uncharge;
 		}
 		goto skip_unmap;
 	}
@@ -679,14 +672,11 @@ skip_unmap:
 
 	if (rc && remap_swapcache)
 		remove_migration_ptes(page, page);
-rcu_unlock:
 
 	/* Drop an anon_vma reference if we took one */
 	if (anon_vma)
 		drop_anon_vma(anon_vma);
 
-	if (rcu_locked)
-		rcu_read_unlock();
 uncharge:
 	if (!charge)
 		mem_cgroup_end_migration(mem, page, newpage);
Commit	Line	Data
39ab309c GKH	1	From 1ce82b69e96c838d007f316b8347b911fdfa9842 Mon Sep 17 00:00:00 2001
	2	From: Hugh Dickins <hughd@google.com>
	3	Date: Thu, 13 Jan 2011 15:47:30 -0800
	4	Subject: mm: fix migration hangs on anon_vma lock
	5
	6	From: Hugh Dickins <hughd@google.com>
	7
	8	commit 1ce82b69e96c838d007f316b8347b911fdfa9842 upstream.
	9
	10	Increased usage of page migration in mmotm reveals that the anon_vma
	11	locking in unmap_and_move() has been deficient since 2.6.36 (or even
	12	earlier). Review at the time of f18194275c39835cb84563500995e0d503a32d9a
	13	("mm: fix hang on anon_vma->root->lock") missed the issue here: the
	14	anon_vma to which we get a reference may already have been freed back to
	15	its slab (it is in use when we check page_mapped, but that can change),
	16	and so its anon_vma->root may be switched at any moment by reuse in
	17	anon_vma_prepare.
	18
	19	Perhaps we could fix that with a get_anon_vma_unless_zero(), but let's
	20	not: just rely on page_lock_anon_vma() to do all the hard thinking for us,
	21	then we don't need any rcu read locking over here.
	22
	23	In removing the rcu_unlock label: since PageAnon is a bit in
	24	page->mapping, it's impossible for a !page->mapping page to be anon; but
	25	insert VM_BUG_ON in case the implementation ever changes.
	26
	27	[akpm@linux-foundation.org: coding-style fixes]
	28	Signed-off-by: Hugh Dickins <hughd@google.com>
	29	Reviewed-by: Mel Gorman <mel@csn.ul.ie>
	30	Reviewed-by: Rik van Riel <riel@redhat.com>
	31	Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
	32	Cc: "Jun'ichi Nomura" <j-nomura@ce.jp.nec.com>
	33	Cc: Andi Kleen <ak@linux.intel.com>
	34	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	35	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	37
	38	---
	39	mm/migrate.c \| 48 +++++++++++++++++++-----------------------------
	40	1 file changed, 19 insertions(+), 29 deletions(-)
	41
	42	--- a/mm/migrate.c
	43	+++ b/mm/migrate.c
	44	@@ -553,7 +553,6 @@ static int unmap_and_move(new_page_t get
	45	int *result = NULL;
	46	struct page *newpage = get_new_page(page, private, &result);
	47	int remap_swapcache = 1;
	48	- int rcu_locked = 0;
	49	int charge = 0;
	50	struct mem_cgroup *mem = NULL;
	51	struct anon_vma *anon_vma = NULL;
	52	@@ -605,20 +604,26 @@ static int unmap_and_move(new_page_t get
	53	/*
	54	* By try_to_unmap(), page->mapcount goes down to 0 here. In this case,
	55	* we cannot notice that anon_vma is freed while we migrates a page.
	56	- * This rcu_read_lock() delays freeing anon_vma pointer until the end
	57	+ * This get_anon_vma() delays freeing anon_vma pointer until the end
	58	* of migration. File cache pages are no problem because of page_lock()
	59	* File Caches may use write_page() or lock_page() in migration, then,
	60	* just care Anon page here.
	61	*/
	62	if (PageAnon(page)) {
	63	- rcu_read_lock();
	64	- rcu_locked = 1;
65	-
66	- /* Determine how to safely use anon_vma */
67	- if (!page_mapped(page)) {
68	- if (!PageSwapCache(page))
69	- goto rcu_unlock;
70	-
71	+ /*
72	+ * Only page_lock_anon_vma() understands the subtleties of
73	+ * getting a hold on an anon_vma from outside one of its mms.
74	+ */
75	+ anon_vma = page_lock_anon_vma(page);
76	+ if (anon_vma) {
77	+ /*
78	+ * Take a reference count on the anon_vma if the
79	+ * page is mapped so that it is guaranteed to
80	+ * exist when the page is remapped later
81	+ */
82	+ get_anon_vma(anon_vma);
83	+ page_unlock_anon_vma(anon_vma);
84	+ } else if (PageSwapCache(page)) {
85	/*
86	* We cannot be sure that the anon_vma of an unmapped
87	* swapcache page is safe to use because we don't
88	@@ -633,13 +638,7 @@ static int unmap_and_move(new_page_t get
89	*/
90	remap_swapcache = 0;
91	} else {
92	- /*
93	- * Take a reference count on the anon_vma if the
94	- * page is mapped so that it is guaranteed to
95	- * exist when the page is remapped later
96	- */
97	- anon_vma = page_anon_vma(page);
98	- get_anon_vma(anon_vma);
99	+ goto uncharge;
100	}
101	}
102
103	@@ -656,16 +655,10 @@ static int unmap_and_move(new_page_t get
104	* free the metadata, so the page can be freed.
105	*/
106	if (!page->mapping) {
107	- if (!PageAnon(page) && page_has_private(page)) {
108	- /*
109	- * Go direct to try_to_free_buffers() here because
110	- * a) that's what try_to_release_page() would do anyway
111	- * b) we may be under rcu_read_lock() here, so we can't
112	- * use GFP_KERNEL which is what try_to_release_page()
113	- * needs to be effective.
114	- */
115	+ VM_BUG_ON(PageAnon(page));
116	+ if (page_has_private(page)) {
117	try_to_free_buffers(page);
118	- goto rcu_unlock;
119	+ goto uncharge;
120	}
121	goto skip_unmap;
122	}
123	@@ -679,14 +672,11 @@ skip_unmap:
124
125	if (rc && remap_swapcache)
126	remove_migration_ptes(page, page);
127	-rcu_unlock:
128
129	/* Drop an anon_vma reference if we took one */
130	if (anon_vma)
131	drop_anon_vma(anon_vma);
132
133	- if (rcu_locked)
134	- rcu_read_unlock();
135	uncharge:
136	if (!charge)
137	mem_cgroup_end_migration(mem, page, newpage);