Virtualization - Dec 2018 - [PATCH] Export mm_update_next_owner function for vhost-net

On 2018/12/13 ??12:47, gchen.guomin at gmail.com wrote:
> From: guomin chen <gchen.guomin at gmail.com>
>
>   Under normal circumstances,When do_exit exits, mm->owner will
>   be updated on exit_mm(). but when the kernel process calls
>   unuse_mm() and then exits,mm->owner cannot be updated. And it
>   will point to a task that has been released.
>
>   Below is my issue on vhost_net:
>      A, B are two kernel processes(such as vhost_worker),
>      C is a user space process(such as qemu), and all
>      three use the mm of the user process C.
>      Now, because user process C exits abnormally, the owner of this
>      mm becomes A. When A calls unuse_mm and exits, this mm->ower
>      still points to the A that has been released.
>      When B accesses this mm->owner again, A has been released.

Could you describe how you reproduce this issue? I believe vhost process 
should exit before process C?

>
>   Process A             Process B
>   vhost_worker()        vhost_worker()
>    ---------             ---------
>    use_mm()              use_mm()
>     ...
>    unuse_mm()
>       tsk->mm=NULL
>     do_exit()            page fault
>      exit_mm()           access mm->owner
>     can't update owner   kernel Oops
>
>                          unuse_mm()
>
> Cc: "Michael S. Tsirkin" <mst at redhat.com>
> Cc: Jason Wang <jasowang at redhat.com>
> Cc: kvm at vger.kernel.org
> Cc: virtualization at lists.linux-foundation.org
> Cc: netdev at vger.kernel.org
> Cc: linux-kernel at vger.kernel.org
> Cc: "Eric W. Biederman" <ebiederm at xmission.com>
> Cc: Andrew Morton <akpm at linux-foundation.org>
> Cc: Sudip Mukherjee <sudipm.mukherjee at gmail.com>
> Cc: "Luis R. Rodriguez" <mcgrof at kernel.org>
> Cc: Dominik Brodowski <linux at dominikbrodowski.net>
> Signed-off-by: guomin chen <gchen.guomin at gmail.com>
> ---
>   drivers/vhost/vhost.c | 1 +
>   kernel/exit.c         | 1 +
>   2 files changed, 2 insertions(+)
>
> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
> index 6b98d8e..7c09087 100644
> --- a/drivers/vhost/vhost.c
> +++ b/drivers/vhost/vhost.c
> @@ -368,6 +368,7 @@ static int vhost_worker(void *data)
>   		}
>   	}
>   	unuse_mm(dev->mm);
> +	mm_update_next_owner(dev->mm);

If you analysis is correct, this is still racy isn't it? (E.g page fault 
happen between unuse_mm() and mm_update_next_owner()).

Thanks

>   	set_fs(oldfs);
>   	return 0;
>   }
> diff --git a/kernel/exit.c b/kernel/exit.c
> index 0e21e6d..9e046dd 100644
> --- a/kernel/exit.c
> +++ b/kernel/exit.c
> @@ -486,6 +486,7 @@ void mm_update_next_owner(struct mm_struct *mm)
>   	task_unlock(c);
>   	put_task_struct(c);
>   }
> +EXPORT_SYMBOL(mm_update_next_owner);
>   #endif /* CONFIG_MEMCG */
>   
>   /*