[PATCH] Fix mm->owner point to a task that does not exists

From: gchen . guomin
Date: Sun Dec 09 2018 - 02:21:56 EST

From: guominchen <guominchen@xxxxxxxxxxx>

Under normal circumstances,When do_exit exits, mm->owner will
be updated, but when the kernel process calls unuse_mm and exits,
mm->owner cannot be updated. And will point to a task that has
been released.

Below is my issue on vhost_net:
A, B are two kernel processes(such as vhost_worker),
C is a user space process(such as qemu), and all
three use the mm of the user process C.
Now, because user process C exits abnormally, the owner of this
mm becomes A. When A calls unuse_mm and exits, this mm->ower
still points to the A that has been released.
When B accesses this mm->owner again, A has been released.

Process A Process B
vhost_worker() vhost_worker()
--------- ---------
use_mm() use_mm()
do_exit() page fault
exit_mm() access mm->owner
can't update owner kernel Oops


Cc: <linux-mm@xxxxxxxxx>
Cc: <linux-kernel@xxxxxxxxxxxxxxx>
Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
Cc: Jason Wang <jasowang@xxxxxxxxxx>
Cc: <netdev@xxxxxxxxxxxxxxx>
Signed-off-by: guominchen <guominchen@xxxxxxxxxxx>
mm/mmu_context.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/mm/mmu_context.c b/mm/mmu_context.c
index 3e612ae..185bb23 100644
--- a/mm/mmu_context.c
+++ b/mm/mmu_context.c
@@ -56,7 +56,6 @@ void unuse_mm(struct mm_struct *mm)

- tsk->mm = NULL;
/* active_mm is still 'mm' */
enter_lazy_tlb(mm, tsk);