Re: [RFC 3/3] mm: process_mrelease: introduce PROCESS_MRELEASE_REAP_KILL flag

Next message: Peter Schneider: "Re: [PATCH 6.19 000/220] 6.19.14-rc1 review"
Previous message: syzbot: "[syzbot] [net?] [usb?] KASAN: slab-use-after-free Read in rtl8150_start_xmit"
In reply to: Michal Hocko: "Re: [RFC 3/3] mm: process_mrelease: introduce PROCESS_MRELEASE_REAP_KILL flag"
Next in thread: Michal Hocko: "Re: [RFC 3/3] mm: process_mrelease: introduce PROCESS_MRELEASE_REAP_KILL flag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Minchan Kim

Date: Mon Apr 20 2026 - 17:48:41 EST

On Fri, Apr 17, 2026 at 09:04:31AM +0200, Michal Hocko wrote:
> On Thu 16-04-26 23:30:09, Minchan Kim wrote:
> > If I send the SIGKILL first to satisfy the process_mrelease() requirement,
> > we immediately run into the scheduling race condition where the victim can
> > enter the exit path before the reaper can set the flag.
>
> Why don't you just grab the mm before you send the signal and then continue
> with reaping? You just want to avoid a race where the victim manages to
> process fatal signal, start its exit path and mrelease path losing that
> race so you rely on the exit path, right?

The problem is that process_mrelease() operates on a task obtained from a pidfd.

Once the victim process receives the SIGKILL and enters the exit path (exit_mm),
the kernel sets task->mm to NULL.

Even if we could somehow hold a reference to the mm_struct beforehand,
process_mrelease() would still fail because mm_struct via task returns NULL
after exit_mm() has been called.

Therefore, we cannot simply "grab the mm" before sending the signal and expect
process_mrelease() to work after the victim starts exiting.