Re: [PATCH] Export mm_update_next_owner function for vhost-net
From: Jason Wang <jasowang@redhat.com>
Date: 2018-12-13 06:30:48
On 2018/12/13 下午12:47, gchen.guomin@gmail.com wrote:
From: guomin chen <redacted>
Under normal circumstances,When do_exit exits, mm->owner will
be updated on exit_mm(). but when the kernel process calls
unuse_mm() and then exits,mm->owner cannot be updated. And it
will point to a task that has been released.
Below is my issue on vhost_net:
A, B are two kernel processes(such as vhost_worker),
C is a user space process(such as qemu), and all
three use the mm of the user process C.
Now, because user process C exits abnormally, the owner of this
mm becomes A. When A calls unuse_mm and exits, this mm->ower
still points to the A that has been released.
When B accesses this mm->owner again, A has been released.Could you describe how you reproduce this issue? I believe vhost process should exit before process C?
quoted hunk
Process A Process B vhost_worker() vhost_worker() --------- --------- use_mm() use_mm() ... unuse_mm() tsk->mm=NULL do_exit() page fault exit_mm() access mm->owner can't update owner kernel Oops unuse_mm() Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Cc: kvm@vger.kernel.org Cc: virtualization@lists.linux-foundation.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: "Eric W. Biederman" <redacted> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Cc: "Luis R. Rodriguez" <mcgrof@kernel.org> Cc: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: guomin chen <redacted> --- drivers/vhost/vhost.c | 1 + kernel/exit.c | 1 + 2 files changed, 2 insertions(+)diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 6b98d8e..7c09087 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c@@ -368,6 +368,7 @@ static int vhost_worker(void *data) } } unuse_mm(dev->mm); + mm_update_next_owner(dev->mm);
If you analysis is correct, this is still racy isn't it? (E.g page fault happen between unuse_mm() and mm_update_next_owner()). Thanks
quoted hunk
set_fs(oldfs); return 0; }diff --git a/kernel/exit.c b/kernel/exit.c index 0e21e6d..9e046dd 100644 --- a/kernel/exit.c +++ b/kernel/exit.c@@ -486,6 +486,7 @@ void mm_update_next_owner(struct mm_struct *mm) task_unlock(c); put_task_struct(c); } +EXPORT_SYMBOL(mm_update_next_owner); #endif /* CONFIG_MEMCG */ /*
_______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization