• Christoph Lameter's avatar
    mm: fix move/migrate_pages() race on task struct · 3268c63e
    Christoph Lameter authored
    Migration functions perform the rcu_read_unlock too early.  As a result
    the task pointed to may change from under us.  This can result in an oops,
    as reported by Dave Hansen in https://lkml.org/lkml/2012/2/23/302.
    
    The following patch extend the period of the rcu_read_lock until after the
    permissions checks are done.  We also take a refcount so that the task
    reference is stable when calling security check functions and performing
    cpuset node validation (which takes a mutex).
    
    The refcount is dropped before actual page migration occurs so there is no
    change to the refcounts held during page migration.
    
    Also move the determination of the mm of the task struct to immediately
    before the do_migrate*() calls so that it is clear that we switch from
    handling the task during permission checks to the mm for the actual
    migration.  Since the determination is only done once and we then no
    longer use the task_struct we can be sure that we operate on a specific
    address space that will not change from under us.
    
    [akpm@linux-foundation.org: checkpatch fixes]
    Signed-off-by: default avatarChristoph Lameter <cl@linux.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Reported-by: default avatarDave Hansen <dave@linux.vnet.ibm.com>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: Hugh Dickins <hughd@google.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    3268c63e
migrate.c 33.6 KB