• Andrew Morton's avatar
    [PATCH] fix /proc mm_struct refcounting bug · 7d33101c
    Andrew Morton authored
    From: Suparna Bhattacharya <suparna@in.ibm.com>
    
    The /proc code's bare atomic_inc(&mm->count) is racy against __exit_mm()'s
    mmput() on another CPU: it calls mmput() outside task_lock(tsk), and
    task_lock() isn't appropriate locking anyway.
    
    So what happens is:
    
    	CPU0			          CPU1
    
          mmput()
          ->atomic_dec_and_lock(mm->mm_users)
                                              atomic_inc(mm->mm_users)
          ->list_del(mm->mmlist)
                                              mmput()
                                              ->atomic_dec_and_lock(mm->mm_users)
                                              ->list_del(mm->mmlist)
    
    And the double list_del() of course goes splat.
    
    So we use mmlist_lock to synchronise these steps.
    
    The patch implements a new mmgrab() routine which increments mm_users only if
    the mm isn't already going away.  Changes get_task_mm() and proc_pid_stat()
    to call mmgrab() instead of a direct atomic_inc(&mm->mm_users).
    
    Hugh, there's some cruft in swapoff which looks like it should be using
    mmgrab()...
    7d33101c
fork.c 29.2 KB