Re: [-mm][PATCH 1/2] mm owner fix race between swap and exit

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Balbir Singh <balbir@linux.vnet.ibm.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, skumar@linux.vnet.ibm.com,
	yamamoto@valinux.co.jp, menage@google.com, lizf@cn.fujitsu.com,
	linux-kernel@vger.kernel.org, nishimura@mxp.nes.nec.co.jp,
	xemul@openvz.org, hugh@veritas.com,
	kamezawa.hiroyu@jp.fujitsu.com
Subject: Re: [-mm][PATCH 1/2] mm owner fix race between swap and exit
Date: Tue, 12 Aug 2008 09:36:36 +0530	[thread overview]
Message-ID: <48A10C4C.6020009@linux.vnet.ibm.com> (raw)
In-Reply-To: <20080811173138.71f5bbe4.akpm@linux-foundation.org>

Andrew Morton wrote:
> On Mon, 11 Aug 2008 15:37:33 +0530
> Balbir Singh <balbir@linux.vnet.ibm.com> wrote:
> 
>> There's a race between mm->owner assignment and try_to_unuse(). The condition
>> occurs when try_to_unuse() runs in parallel with an exiting task.
>>
>> The race can be visualized below. To quote Hugh
>> "I don't think your careful alternation of CPU0/1 events at the end matters:
>> the swapoff CPU simply dereferences mm->owner after that task has gone"
>>
>> But the alteration does help understand the race better (at-least for me :))
>>
>> CPU0					CPU1
>> 					try_to_unuse
>> task 1 stars exiting			look at mm = task1->mm
>> ..					increment mm_users
>> task 1 exits
>> mm->owner needs to be updated, but
>> no new owner is found
>> (mm_users > 1, but no other task
>> has task->mm = task1->mm)
>> mm_update_next_owner() leaves
>>
>> grace period
>> 					user count drops, call mmput(mm)
>> task 1 freed
>> 					dereferencing mm->owner fails
>>
>> The fix is to notify the subsystem (via mm_owner_changed callback), if
>> no new owner is found by specifying the new task as NULL.
> 
> This patch applies to mainline, 2.6.27-rc2 and even 2.6.26.
> 
> Against which kernel/patch is it actually applicable?
> 
> (If the answer was "all of the above" then please don't go embedding
> mainline bugfixes in the middle of a -mm-only patch series!)

Andrew,

The answer is all, but the bug is not exposed *outside* of the memrlimit
controller, thus the push into -mm. I can redo and rework the patches for
mainline if required and pull it out of -mm.

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL

WARNING: multiple messages have this Message-ID (diff)

From: Balbir Singh <balbir@linux.vnet.ibm.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, skumar@linux.vnet.ibm.com,
	yamamoto@valinux.co.jp, menage@google.com, lizf@cn.fujitsu.com,
	linux-kernel@vger.kernel.org, nishimura@mxp.nes.nec.co.jp,
	xemul@openvz.org, hugh@veritas.com,
	kamezawa.hiroyu@jp.fujitsu.com
Subject: Re: [-mm][PATCH 1/2] mm owner fix race between swap and exit
Date: Tue, 12 Aug 2008 09:36:36 +0530	[thread overview]
Message-ID: <48A10C4C.6020009@linux.vnet.ibm.com> (raw)
In-Reply-To: <20080811173138.71f5bbe4.akpm@linux-foundation.org>

Andrew Morton wrote:
> On Mon, 11 Aug 2008 15:37:33 +0530
> Balbir Singh <balbir@linux.vnet.ibm.com> wrote:
> 
>> There's a race between mm->owner assignment and try_to_unuse(). The condition
>> occurs when try_to_unuse() runs in parallel with an exiting task.
>>
>> The race can be visualized below. To quote Hugh
>> "I don't think your careful alternation of CPU0/1 events at the end matters:
>> the swapoff CPU simply dereferences mm->owner after that task has gone"
>>
>> But the alteration does help understand the race better (at-least for me :))
>>
>> CPU0					CPU1
>> 					try_to_unuse
>> task 1 stars exiting			look at mm = task1->mm
>> ..					increment mm_users
>> task 1 exits
>> mm->owner needs to be updated, but
>> no new owner is found
>> (mm_users > 1, but no other task
>> has task->mm = task1->mm)
>> mm_update_next_owner() leaves
>>
>> grace period
>> 					user count drops, call mmput(mm)
>> task 1 freed
>> 					dereferencing mm->owner fails
>>
>> The fix is to notify the subsystem (via mm_owner_changed callback), if
>> no new owner is found by specifying the new task as NULL.
> 
> This patch applies to mainline, 2.6.27-rc2 and even 2.6.26.
> 
> Against which kernel/patch is it actually applicable?
> 
> (If the answer was "all of the above" then please don't go embedding
> mainline bugfixes in the middle of a -mm-only patch series!)

Andrew,

The answer is all, but the bug is not exposed *outside* of the memrlimit
controller, thus the push into -mm. I can redo and rework the patches for
mainline if required and pull it out of -mm.

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2008-08-12  4:08 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-08-11 10:07 [-mm][PATCH 0/2] Memory rlimit fix crash on fork Balbir Singh
2008-08-11 10:07 ` Balbir Singh
2008-08-11 10:07 ` [-mm][PATCH 1/2] mm owner fix race between swap and exit Balbir Singh
2008-08-11 10:07   ` Balbir Singh
2008-08-12  0:31   ` Andrew Morton
2008-08-12  0:31     ` Andrew Morton
2008-08-12  0:43     ` Paul Menage
2008-08-12  0:43       ` Paul Menage
2008-08-12  4:06     ` Balbir Singh [this message]
2008-08-12  4:06       ` Balbir Singh
2008-08-12  4:56       ` Andrew Morton
2008-08-12  4:56         ` Andrew Morton
2008-08-12  5:04         ` Balbir Singh
2008-08-12  5:04           ` Balbir Singh
2008-08-11 10:07 ` [-mm][PATCH 2/2] Memory rlimit enhance mm_owner_changed callback to deal with exited owner Balbir Singh
2008-08-11 10:07   ` Balbir Singh
2008-08-12  0:39   ` Paul Menage
2008-08-12  0:39     ` Paul Menage
2008-08-13  0:14 ` [-mm][PATCH 0/2] Memory rlimit fix crash on fork Andrew Morton
2008-08-13  0:14   ` Andrew Morton
2008-08-13  1:24   ` Balbir Singh
2008-08-13  1:24     ` Balbir Singh
2008-08-13  2:07     ` Balbir Singh
2008-08-13  2:07       ` Balbir Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48A10C4C.6020009@linux.vnet.ibm.com \
    --to=balbir@linux.vnet.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=hugh@veritas.com \
    --cc=kamezawa.hiroyu@jp.fujitsu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=lizf@cn.fujitsu.com \
    --cc=menage@google.com \
    --cc=nishimura@mxp.nes.nec.co.jp \
    --cc=skumar@linux.vnet.ibm.com \
    --cc=xemul@openvz.org \
    --cc=yamamoto@valinux.co.jp \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.