on CONFIG_MM_OWNER=y, kernel panic is possible.

on CONFIG_MM_OWNER=y, kernel panic is possible.

[KOSAKI Motohiro]

on CONFIG_MM_OWNER=y (that is automatically turned on by mem-cgroup),
kernel panic is possible by following scenario in mm_update_next_owner().

1. mm_update_next_owner() is called.
2. found caller task in do_each_thread() loop.
3. thus, BUG_ON(c == p) is true, it become kernel panic.

end up, We should left out current task.


Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
CC: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
CC: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
CC: Balbir Singh <balbir@linux.vnet.ibm.com>

---
 kernel/exit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: b/kernel/exit.c
===================================================================
--- a/kernel/exit.c     2008-05-04 22:57:23.000000000 +0900
+++ b/kernel/exit.c     2008-05-06 15:01:26.000000000 +0900
@@ -627,7 +627,7 @@ retry:
         * here often
         */
        do_each_thread(g, c) {
-               if (c->mm == mm)
+               if ((c != p) && (c->mm == mm))
                        goto assign_new_owner;
        } while_each_thread(g, c);


--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: on CONFIG_MM_OWNER=y, kernel panic is possible.

[Balbir Singh]

KOSAKI Motohiro wrote:
> on CONFIG_MM_OWNER=y (that is automatically turned on by mem-cgroup),
> kernel panic is possible by following scenario in mm_update_next_owner().
> 
> 1. mm_update_next_owner() is called.
> 2. found caller task in do_each_thread() loop.
> 3. thus, BUG_ON(c == p) is true, it become kernel panic.
> 
> end up, We should left out current task.
> 
> 

That is not possible. If you look at where mm_update_next_owner() is called
from, we call it from

exit_mm() and exec_mmap()

In both cases, we ensure that the task's mm has changed (to NULL and the new mm
respectively), before we call mm_update_next_owner(), hence c->mm can never be
equal to p->mm.

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: on CONFIG_MM_OWNER=y, kernel panic is possible.

[KOSAKI Motohiro]

> That is not possible. If you look at where mm_update_next_owner() is called
> from, we call it from
> 
> exit_mm() and exec_mmap()
> 
> In both cases, we ensure that the task's mm has changed (to NULL and the new mm
> respectively), before we call mm_update_next_owner(), hence c->mm can never be
> equal to p->mm.

if so, following patch is needed instead.



---
 fs/exec.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: b/fs/exec.c
===================================================================
--- a/fs/exec.c 2008-05-04 22:57:09.000000000 +0900
+++ b/fs/exec.c 2008-05-06 15:40:35.000000000 +0900
@@ -735,7 +735,7 @@ static int exec_mmap(struct mm_struct *m
        tsk->active_mm = mm;
        activate_mm(active_mm, mm);
        task_unlock(tsk);
-       mm_update_next_owner(mm);
+       mm_update_next_owner(old_mm);
        arch_pick_mmap_layout(mm);
        if (old_mm) {
                up_read(&old_mm->mmap_sem);


--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: on CONFIG_MM_OWNER=y, kernel panic is possible.

[KOSAKI Motohiro]

> > That is not possible. If you look at where mm_update_next_owner() is called
> > from, we call it from
> > 
> > exit_mm() and exec_mmap()
> > 
> > In both cases, we ensure that the task's mm has changed (to NULL and the new mm
> > respectively), before we call mm_update_next_owner(), hence c->mm can never be
> > equal to p->mm.
> 
> if so, following patch is needed instead.

and, one more.

comment of owner member of mm_struct is bogus.
that is not guranteed point to thread-group-leader.


Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>

---
 include/linux/mm_types.h |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Index: b/include/linux/mm_types.h
===================================================================
--- a/include/linux/mm_types.h  2008-05-04 22:56:52.000000000 +0900
+++ b/include/linux/mm_types.h  2008-05-06 15:53:04.000000000 +0900
@@ -231,8 +231,7 @@ struct mm_struct {
        rwlock_t                ioctx_list_lock;        /* aio lock */
        struct kioctx           *ioctx_list;
 #ifdef CONFIG_MM_OWNER
-       struct task_struct *owner;      /* The thread group leader that */
-                                       /* owns the mm_struct.          */
+       struct task_struct *owner;      /* point to one of task that owns the mm_struct. */
 #endif

 #ifdef CONFIG_PROC_FS



--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: on CONFIG_MM_OWNER=y, kernel panic is possible.

[Balbir Singh]

KOSAKI Motohiro wrote:
>>> That is not possible. If you look at where mm_update_next_owner() is called
>>> from, we call it from
>>>
>>> exit_mm() and exec_mmap()
>>>
>>> In both cases, we ensure that the task's mm has changed (to NULL and the new mm
>>> respectively), before we call mm_update_next_owner(), hence c->mm can never be
>>> equal to p->mm.
>> if so, following patch is needed instead.
> 
> and, one more.
> 
> comment of owner member of mm_struct is bogus.
> that is not guranteed point to thread-group-leader.
> 
> 
> Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
> 
> ---
>  include/linux/mm_types.h |    3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> Index: b/include/linux/mm_types.h
> ===================================================================
> --- a/include/linux/mm_types.h  2008-05-04 22:56:52.000000000 +0900
> +++ b/include/linux/mm_types.h  2008-05-06 15:53:04.000000000 +0900
> @@ -231,8 +231,7 @@ struct mm_struct {
>         rwlock_t                ioctx_list_lock;        /* aio lock */
>         struct kioctx           *ioctx_list;
>  #ifdef CONFIG_MM_OWNER
> -       struct task_struct *owner;      /* The thread group leader that */
> -                                       /* owns the mm_struct.          */
> +       struct task_struct *owner;      /* point to one of task that owns the mm_struct. */
>  #endif
> 
>  #ifdef CONFIG_PROC_FS
> 
> 
> 

How about just, the task that owns the mm_struct? One of, implies multiple owners.


-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: on CONFIG_MM_OWNER=y, kernel panic is possible.

[Balbir Singh]

KOSAKI Motohiro wrote:
>> That is not possible. If you look at where mm_update_next_owner() is called
>> from, we call it from
>>
>> exit_mm() and exec_mmap()
>>
>> In both cases, we ensure that the task's mm has changed (to NULL and the new mm
>> respectively), before we call mm_update_next_owner(), hence c->mm can never be
>> equal to p->mm.
> 
> if so, following patch is needed instead.
> 
> 
> 
> ---
>  fs/exec.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Index: b/fs/exec.c
> ===================================================================
> --- a/fs/exec.c 2008-05-04 22:57:09.000000000 +0900
> +++ b/fs/exec.c 2008-05-06 15:40:35.000000000 +0900
> @@ -735,7 +735,7 @@ static int exec_mmap(struct mm_struct *m
>         tsk->active_mm = mm;
>         activate_mm(active_mm, mm);
>         task_unlock(tsk);
> -       mm_update_next_owner(mm);
> +       mm_update_next_owner(old_mm);
>         arch_pick_mmap_layout(mm);
>         if (old_mm) {
>                 up_read(&old_mm->mmap_sem);
> 
> 

Yes, good catch.

Acked-by: Balbir Singh <balbir@linux.vnet.ibm.com>

I'll go ahead and do some more testing on top of it. CC'ing Paul Menage as well.

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: on CONFIG_MM_OWNER=y, kernel panic is possible.

[KOSAKI Motohiro]

> >  #ifdef CONFIG_MM_OWNER
> > -       struct task_struct *owner;      /* The thread group leader that */
> > -                                       /* owns the mm_struct.          */
> > +       struct task_struct *owner;      /* point to one of task that owns the mm_struct. */
> >  #endif
> > 
> >  #ifdef CONFIG_PROC_FS
> 
> How about just, the task that owns the mm_struct? One of, implies multiple owners.

Ah, below is better?

/* point to any one of task that related the mm_struct. */


my intention is only remove "thread group leader" word.
other things, I obey your favor. 

Cheers!



--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: on CONFIG_MM_OWNER=y, kernel panic is possible.

[Paul Menage]

On Mon, May 5, 2008 at 11:43 PM, KOSAKI Motohiro
<kosaki.motohiro@jp.fujitsu.com> wrote:
> > >  #ifdef CONFIG_MM_OWNER
>  > > -       struct task_struct *owner;      /* The thread group leader that */
>  > > -                                       /* owns the mm_struct.          */
>  > > +       struct task_struct *owner;      /* point to one of task that owns the mm_struct. */
>  > >  #endif
>  > >
>  > >  #ifdef CONFIG_PROC_FS
>  >
>  > How about just, the task that owns the mm_struct? One of, implies multiple owners.
>
>  Ah, below is better?
>
>  /* point to any one of task that related the mm_struct. */

I'd word it as

/*
 * "owner" points to a task that is regarded as the canonical
 * user/owner of this mm. All of the following must be true in
 * order for it to be changed:
 *
 * current == mm->owner
 * current->mm != mm
 * new_owner->mm == mm
 * new_owner->alloc_lock is held
 */

Paul

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

[PATCH] on CONFIG_MM_OWNER=y, kernel panic is possible. take2

[KOSAKI Motohiro]

> I'd word it as
> 
> /*
>  * "owner" points to a task that is regarded as the canonical
>  * user/owner of this mm. All of the following must be true in
>  * order for it to be changed:
>  *
>  * current == mm->owner
>  * current->mm != mm
>  * new_owner->mm == mm
>  * new_owner->alloc_lock is held
>  */

Wow, Thank you a lot!
new version attached.

Cheers!


-----------------------------------------------------------
When mm destruct happend, We should pass mm_update_next_owner() 
old mm.
but unfortunately new mm is passed in exec_mmap().

thus, kernel panic is possible when multi thread process use exec().


and, owner member comment description is wrong.
mm->owner don't not necessarily point to thread group leader.


Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
CC: Balbir Singh <balbir@linux.vnet.ibm.com>
CC: "Paul Menage" <menage@google.com>
CC: "KAMEZAWA Hiroyuki" <kamezawa.hiroyu@jp.fujitsu.com>

---
 fs/exec.c                |    2 +-
 include/linux/mm_types.h |   13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

Index: b/fs/exec.c
===================================================================
--- a/fs/exec.c	2008-05-04 22:57:09.000000000 +0900
+++ b/fs/exec.c	2008-05-06 15:40:35.000000000 +0900
@@ -735,7 +735,7 @@ static int exec_mmap(struct mm_struct *m
 	tsk->active_mm = mm;
 	activate_mm(active_mm, mm);
 	task_unlock(tsk);
-	mm_update_next_owner(mm);
+	mm_update_next_owner(old_mm);
 	arch_pick_mmap_layout(mm);
 	if (old_mm) {
 		up_read(&old_mm->mmap_sem);
Index: b/include/linux/mm_types.h
===================================================================
--- a/include/linux/mm_types.h	2008-05-08 09:20:13.000000000 +0900
+++ b/include/linux/mm_types.h	2008-05-08 09:22:13.000000000 +0900
@@ -231,8 +231,17 @@ struct mm_struct {
 	rwlock_t		ioctx_list_lock;	/* aio lock */
 	struct kioctx		*ioctx_list;
 #ifdef CONFIG_MM_OWNER
-	struct task_struct *owner;	/* The thread group leader that */
-					/* owns the mm_struct.		*/
+        /*
+         * "owner" points to a task that is regarded as the canonical
+         * user/owner of this mm. All of the following must be true in
+         * order for it to be changed:
+         *
+         * current == mm->owner
+         * current->mm != mm
+         * new_owner->mm == mm
+         * new_owner->alloc_lock is held
+         */
+	struct task_struct *owner;
 #endif
 
 #ifdef CONFIG_PROC_FS




--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH] on CONFIG_MM_OWNER=y, kernel panic is possible. take2

[Balbir Singh]

KOSAKI Motohiro wrote:
>> I'd word it as
>>
>> /*
>>  * "owner" points to a task that is regarded as the canonical
>>  * user/owner of this mm. All of the following must be true in
>>  * order for it to be changed:
>>  *
>>  * current == mm->owner
>>  * current->mm != mm
>>  * new_owner->mm == mm
>>  * new_owner->alloc_lock is held
>>  */
> 
> Wow, Thank you a lot!
> new version attached.
> 
> Cheers!
> 
> 
> -----------------------------------------------------------
> When mm destruct happend, We should pass mm_update_next_owner() 
> old mm.
> but unfortunately new mm is passed in exec_mmap().
> 
> thus, kernel panic is possible when multi thread process use exec().
> 
> 
> and, owner member comment description is wrong.
> mm->owner don't not necessarily point to thread group leader.
> 
> 
> Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
> CC: Balbir Singh <balbir@linux.vnet.ibm.com>
> CC: "Paul Menage" <menage@google.com>
> CC: "KAMEZAWA Hiroyuki" <kamezawa.hiroyu@jp.fujitsu.com>
> 
> ---
>  fs/exec.c                |    2 +-
>  include/linux/mm_types.h |   13 +++++++++++--
>  2 files changed, 12 insertions(+), 3 deletions(-)
> 
> Index: b/fs/exec.c
> ===================================================================
> --- a/fs/exec.c	2008-05-04 22:57:09.000000000 +0900
> +++ b/fs/exec.c	2008-05-06 15:40:35.000000000 +0900
> @@ -735,7 +735,7 @@ static int exec_mmap(struct mm_struct *m
>  	tsk->active_mm = mm;
>  	activate_mm(active_mm, mm);
>  	task_unlock(tsk);
> -	mm_update_next_owner(mm);
> +	mm_update_next_owner(old_mm);
>  	arch_pick_mmap_layout(mm);
>  	if (old_mm) {
>  		up_read(&old_mm->mmap_sem);
> Index: b/include/linux/mm_types.h
> ===================================================================
> --- a/include/linux/mm_types.h	2008-05-08 09:20:13.000000000 +0900
> +++ b/include/linux/mm_types.h	2008-05-08 09:22:13.000000000 +0900
> @@ -231,8 +231,17 @@ struct mm_struct {
>  	rwlock_t		ioctx_list_lock;	/* aio lock */
>  	struct kioctx		*ioctx_list;
>  #ifdef CONFIG_MM_OWNER
> -	struct task_struct *owner;	/* The thread group leader that */
> -					/* owns the mm_struct.		*/
> +        /*
> +         * "owner" points to a task that is regarded as the canonical
> +         * user/owner of this mm. All of the following must be true in
> +         * order for it to be changed:
> +         *
> +         * current == mm->owner
> +         * current->mm != mm
> +         * new_owner->mm == mm
> +         * new_owner->alloc_lock is held
> +         */
> +	struct task_struct *owner;
>  #endif
> 
>  #ifdef CONFIG_PROC_FS
> 

Looks good to me, but I've not tested it

Acked-by: Balbir Singh <balbir@linux.vnet.ibm.com>

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>