Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4cd1a8fc authored May 12, 2008 by KOSAKI Motohiro Committed by Linus Torvalds May 13, 2008

memcg: fix possible panic when CONFIG_MM_OWNER=y



When mm destruction happens, we should pass mm_update_next_owner() the old mm.
 But unfortunately new mm is passed in exec_mmap().

Thus, kernel panic is possible when a multi-threaded process uses exec().

Also, the owner member comment description is wrong.  mm->owner does not
necessarily point to the thread group leader.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: "Paul Menage" <menage@google.com>
Cc: "KAMEZAWA Hiroyuki" <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent c9bfcb31

fs/exec.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -736,7 +736,7 @@ static int exec_mmap(struct mm_struct *mm)
	tsk->active_mm = mm;		tsk->active_mm = mm;
	activate_mm(active_mm, mm);		activate_mm(active_mm, mm);
	task_unlock(tsk);		task_unlock(tsk);
	mm_update_next_owner(mm);		mm_update_next_owner(old_mm);
	arch_pick_mmap_layout(mm);		arch_pick_mmap_layout(mm);
	if (old_mm) {		if (old_mm) {
	up_read(&old_mm->mmap_sem);		up_read(&old_mm->mmap_sem);

include/linux/mm_types.h

+11 −2

Original line number	Original line	Diff line number	Diff line
	@@ -226,8 +226,17 @@ struct mm_struct {
	rwlock_t ioctx_list_lock; /* aio lock */		rwlock_t ioctx_list_lock; /* aio lock */
	struct kioctx *ioctx_list;		struct kioctx *ioctx_list;
	#ifdef CONFIG_MM_OWNER		#ifdef CONFIG_MM_OWNER
	struct task_struct owner; / The thread group leader that */		/*
	/* owns the mm_struct. */		* "owner" points to a task that is regarded as the canonical
			* user/owner of this mm. All of the following must be true in
			* order for it to be changed:
			*
			* current == mm->owner
			* current->mm != mm
			* new_owner->mm == mm
			* new_owner->alloc_lock is held
			*/
			struct task_struct *owner;
	#endif		#endif

	#ifdef CONFIG_PROC_FS		#ifdef CONFIG_PROC_FS