https://github.com/torvalds/linux
Revision 31a78f23bac0069004e69f98808b6988baccb6b6 authored by Balbir Singh on 28 September 2008, 22:09:31 UTC, committed by Linus Torvalds on 29 September 2008, 15:41:47 UTC
There's a race between mm->owner assignment and swapoff, more easily
seen when task slab poisoning is turned on. The condition occurs when
try_to_unuse() runs in parallel with an exiting task. A similar race
can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
or ptrace or page migration.
CPU0 CPU1
try_to_unuse
looks at mm = task0->mm
increments mm->mm_users
task 0 exits
mm->owner needs to be updated, but no
new owner is found (mm_users > 1, but
no other task has task->mm = task0->mm)
mm_update_next_owner() leaves
mmput(mm) decrements mm->mm_users
task0 freed
dereferencing mm->owner fails
The fix is to notify the subsystem via mm_owner_changed callback(),
if no new owner is found, by specifying the new task as NULL.
Jiri Slaby:
mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
must be set after that, so as not to pass NULL as old owner causing oops.
Daisuke Nishimura:
mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
and its callers need to take account of this situation to avoid oops.
Hugh Dickins:
Lockdep warning and hang below exec_mmap() when testing these patches.
exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
so exec_mmap() now needs to do the same. And with that repositioning,
there's now no point in mm_need_new_owner() allowing for NULL mm.
Reported-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent bf5cb66
Tip revision: 31a78f23bac0069004e69f98808b6988baccb6b6 authored by Balbir Singh on 28 September 2008, 22:09:31 UTC
mm owner: fix race between swapoff and exit
mm owner: fix race between swapoff and exit
Tip revision: 31a78f2
| File | Mode | Size |
|---|---|---|
| Documentation | ||
| arch | ||
| block | ||
| crypto | ||
| drivers | ||
| firmware | ||
| fs | ||
| include | ||
| init | ||
| ipc | ||
| kernel | ||
| lib | ||
| mm | ||
| net | ||
| samples | ||
| scripts | ||
| security | ||
| sound | ||
| usr | ||
| virt | ||
| .gitignore | -rw-r--r-- | 867 bytes |
| .mailmap | -rw-r--r-- | 3.7 KB |
| COPYING | -rw-r--r-- | 18.3 KB |
| CREDITS | -rw-r--r-- | 90.7 KB |
| Kbuild | -rw-r--r-- | 2.4 KB |
| MAINTAINERS | -rw-r--r-- | 99.5 KB |
| Makefile | -rw-r--r-- | 55.4 KB |
| README | -rw-r--r-- | 16.5 KB |
| REPORTING-BUGS | -rw-r--r-- | 3.1 KB |
Computing file changes ...
