From: Michal Hocko <mhocko@suse.com>
To: Chen Yu <yu.c.chen@intel.com>
Cc: Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Juri Lelli <juri.lelli@redhat.com>,
Vincent Guittot <vincent.guittot@linaro.org>,
Dietmar Eggemann <dietmar.eggemann@arm.com>,
Steven Rostedt <rostedt@goodmis.org>,
Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
Valentin Schneider <vschneid@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Tim Chen <tim.c.chen@intel.com>,
linux-kernel@vger.kernel.org, Jirka Hladky <jhladky@redhat.com>,
Srikanth Aithal <Srikanth.Aithal@amd.com>,
Suneeth D <Suneeth.D@amd.com>, Libo Chen <libo.chen@oracle.com>
Subject: Re: [PATCH] sched/numa: Fix NULL pointer access to mm_struct durng task swap
Date: Thu, 3 Jul 2025 09:18:15 +0200 [thread overview]
Message-ID: <aGYutwftSAPgPzf-@tiehlicka> (raw)
In-Reply-To: <20250702163247.324439-1-yu.c.chen@intel.com>
On Thu 03-07-25 00:32:47, Chen Yu wrote:
> It was reported that after Commit ad6b26b6a0a7
> ("sched/numa: add statistics of numa balance task"),
> a NULL pointer exception[1] occurs when accessing
> p->mm. The following race condition was found to
> trigger this bug: After a swap task candidate is
> chosen during NUMA balancing, its mm_struct is
> released due to task exit. Later, when the task
> swapping is performed, p->mm is NULL, which causes
> the problem:
>
> CPU0 CPU1
> :
> ...
> task_numa_migrate
> task_numa_find_cpu
> task_numa_compare
> # a normal task p is chosen
> env->best_task = p
>
> # p exit:
> exit_signals(p);
> p->flags |= PF_EXITING
> exit_mm
> p->mm = NULL;
>
> migrate_swap_stop
> __migrate_swap_task((arg->src_task, arg->dst_cpu)
> count_memcg_event_mm(p->mm, NUMA_TASK_SWAP)# p->mm is NULL
>
> Fix this issue by checking if the task has the PF_EXITING
> flag set in migrate_swap_stop(). If it does, skip updating
> the memcg events. Additionally, log a warning if p->mm is
> NULL to facilitate future debugging.
>
> Fixes: ad6b26b6a0a7 ("sched/numa: add statistics of numa balance task")
> Reported-by: Jirka Hladky <jhladky@redhat.com>
> Closes: https://lore.kernel.org/all/CAE4VaGBLJxpd=NeRJXpSCuw=REhC5LWJpC29kDy-Zh2ZDyzQZA@mail.gmail.com/
> Reported-by: Srikanth Aithal <Srikanth.Aithal@amd.com>
> Reported-by: Suneeth D <Suneeth.D@amd.com>
> Suggested-by: Libo Chen <libo.chen@oracle.com>
> Signed-off-by: Chen Yu <yu.c.chen@intel.com>
> ---
> kernel/sched/core.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/sched/core.c b/kernel/sched/core.c
> index 8988d38d46a3..4e06bb955dad 100644
> --- a/kernel/sched/core.c
> +++ b/kernel/sched/core.c
> @@ -3364,7 +3364,14 @@ static void __migrate_swap_task(struct task_struct *p, int cpu)
> {
> __schedstat_inc(p->stats.numa_task_swapped);
> count_vm_numa_event(NUMA_TASK_SWAP);
> - count_memcg_event_mm(p->mm, NUMA_TASK_SWAP);
> + /* exiting task has NULL mm */
> + if (!(p->flags & PF_EXITING)) {
> + WARN_ONCE(!p->mm, "swap task %d %s %x has no mm\n",
> + p->pid, p->comm, p->flags);
As Andrew already said this is not really acceptable because this is
very likely too easy to trigger and a) you do not want logs flooded with
warnings and also there are setups with panic_on_warn configured and for
those this would be a fatal situation without any good reason.
> +
> + if (p->mm)
> + count_memcg_event_mm(p->mm, NUMA_TASK_SWAP);
> + }
Why are you testing for p->mm here? Isn't PF_EXITING test sufficient?
A robust way to guarantee non-NULL mm against races when a task is
exiting is find_lock_task_mm. Probably too heavy weight for this path.
>
> if (task_on_rq_queued(p)) {
> struct rq *src_rq, *dst_rq;
> --
> 2.25.1
>
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2025-07-03 7:18 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-02 16:32 [PATCH] sched/numa: Fix NULL pointer access to mm_struct durng task swap Chen Yu
2025-07-02 21:08 ` Andrew Morton
2025-07-03 9:24 ` Chen, Yu C
2025-07-03 7:18 ` Michal Hocko [this message]
2025-07-03 9:37 ` Chen, Yu C
2025-07-03 11:51 ` Michal Hocko
2025-07-03 11:55 ` Peter Zijlstra
2025-07-03 7:26 ` Peter Zijlstra
2025-07-03 9:28 ` Michal Hocko
2025-07-03 11:50 ` Peter Zijlstra
2025-07-03 12:01 ` Michal Hocko
2025-07-03 12:04 ` Chen, Yu C
2025-07-03 12:20 ` Libo Chen
2025-07-03 12:36 ` Peter Zijlstra
2025-07-03 13:38 ` Chen, Yu C
2025-07-03 14:01 ` Peter Zijlstra
2025-07-04 5:57 ` Chen, Yu C
2025-07-03 13:57 ` Libo Chen
2025-07-03 14:18 ` Peter Zijlstra
2025-07-03 23:35 ` Libo Chen
2025-07-04 8:26 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aGYutwftSAPgPzf-@tiehlicka \
--to=mhocko@suse.com \
--cc=Srikanth.Aithal@amd.com \
--cc=Suneeth.D@amd.com \
--cc=akpm@linux-foundation.org \
--cc=bsegall@google.com \
--cc=dietmar.eggemann@arm.com \
--cc=jhladky@redhat.com \
--cc=juri.lelli@redhat.com \
--cc=libo.chen@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tim.c.chen@intel.com \
--cc=vincent.guittot@linaro.org \
--cc=vschneid@redhat.com \
--cc=yu.c.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).