The patch titled
memcg: fix possible panic when CONFIG_MM_OWNER=y
has been added to the -mm tree. Its filename is
memcg-fix-possible-panic-when-config_mm_owner=y.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: memcg: fix possible panic when CONFIG_MM_OWNER=y
From: KOSAKI Motohiro <kosaki.motohiro@xxxxxxxxxxxxxx>
When mm destruction happens, we should pass mm_update_next_owner() the old mm.
But unfortunately new mm is passed in exec_mmap().
Thus, kernel panic is possible when a multi-threaded process uses exec().
Also, the owner member comment description is wrong. mm->owner does not
necessarily point to the thread group leader.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@xxxxxxxxxxxxxx>
Acked-by: Balbir Singh <balbir@xxxxxxxxxxxxxxxxxx>
Cc: "Paul Menage" <menage@xxxxxxxxxx>
Cc: "KAMEZAWA Hiroyuki" <kamezawa.hiroyu@xxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/exec.c | 2 +-
include/linux/mm_types.h | 13 +++++++++++--
2 files changed, 12 insertions(+), 3 deletions(-)
diff -puN fs/exec.c~memcg-fix-possible-panic-when-config_mm_owner=y fs/exec.c
--- a/fs/exec.c~memcg-fix-possible-panic-when-config_mm_owner=y
+++ a/fs/exec.c
@@ -736,7 +736,7 @@ static int exec_mmap(struct mm_struct *m
tsk->active_mm = mm;
activate_mm(active_mm, mm);
task_unlock(tsk);
- mm_update_next_owner(mm);
+ mm_update_next_owner(old_mm);
arch_pick_mmap_layout(mm);
if (old_mm) {
up_read(&old_mm->mmap_sem);
diff -puN include/linux/mm_types.h~memcg-fix-possible-panic-when-config_mm_owner=y include/linux/mm_types.h
--- a/include/linux/mm_types.h~memcg-fix-possible-panic-when-config_mm_owner=y
+++ a/include/linux/mm_types.h
@@ -226,8 +226,17 @@ struct mm_struct {
rwlock_t ioctx_list_lock; /* aio lock */
struct kioctx *ioctx_list;
#ifdef CONFIG_MM_OWNER
- struct task_struct *owner; /* The thread group leader that */
- /* owns the mm_struct. */
+ /*
+ * "owner" points to a task that is regarded as the canonical
+ * user/owner of this mm. All of the following must be true in
+ * order for it to be changed:
+ *
+ * current == mm->owner
+ * current->mm != mm
+ * new_owner->mm == mm
+ * new_owner->alloc_lock is held
+ */
+ struct task_struct *owner;
#endif
#ifdef CONFIG_PROC_FS
_
Patches currently in -mm which might be from kosaki.motohiro@xxxxxxxxxxxxxx are
make-vmstat-cpu-unplug-safe.patch
memcg-fix-possible-panic-when-config_mm_owner=y.patch
page-allocator-inlnie-some-__alloc_pages-wrappers.patch
mm-hugetlbc-fix-duplicate-variable.patch
make-mm-memoryc-print_bad_pte-static.patch
mm-swapfilec-make-code-static.patch
make-mm-rmapc-anon_vma_cachep-static.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
