Re: dget BUG from proc_exe_link in 2.6.6-mm2

[Neil Brown]

On Sunday May 16, akpm@xxxxxxxx wrote:
> exit_mmap() (at least) doesn't hold down_write(mmap_sem), and never has -
> it assumes that there are no more references to the going-away mm's vma
> tree.  It forgot about /proc.  I don't immediately see why this is a new
> bug.
> 
> I dunno if this will work, but I do know that it'll cause deadlocks every
> time when the oops code tries to kill off the oopsing task via do_exit(),
> which is a bit unfortunate.
> 

You don't really need to protect the remove_vm_struct.  You only need
to protect mm->mmap.  It should be sufficient to 'down' and 'up' the
semaphore after "mm->mmap = NULL" and before calling remove_mv_struct.
That will synchronise with proc_exe_link.

NeilBrown


 ----------- Diffstat output ------------
 ./mm/mmap.c |    7 +++++++
 1 files changed, 7 insertions(+)

diff ./mm/mmap.c~current~ ./mm/mmap.c
--- ./mm/mmap.c~current~	2004-05-17 12:28:07.000000000 +1000
+++ ./mm/mmap.c	2004-05-17 12:28:09.000000000 +1000
@@ -1493,6 +1493,13 @@ void exit_mmap(struct mm_struct *mm)
 
 	spin_unlock(&mm->page_table_lock);
 
+	down_write(&mm->mmap_sem);
+	/* anyone who might have grabbed mm->mmap before we NULLed it
+	 * should have done so under mm->mmap_sem (e.g. proc_exe_link)
+	 * and so will have let go if it by now, so it is safe to tear it down
+	 */
+	up_write(&mm->mmap_sem);
+
 	/*
 	 * Walk the list again, actually closing and freeing it
 	 * without holding any MM locks.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/