[PATCH] Fix mm->owner point to a task that does not exists.
From: gchen . guomin
Date: Tue Dec 11 2018 - 20:54:29 EST
From: guomin chen <gchen.guomin@xxxxxxxxx>
Under normal circumstances,When do_exit exits, mm->owner will
be updated on exit_mm(). but when the kernel process calls
unuse_mm() and then exits,mm->owner cannot be updated. And it
will point to a task that has been released.
Below is my issue on vhost_net:
A, B are two kernel processes(such as vhost_worker),
C is a user space process(such as qemu), and all
three use the mm of the user process C.
Now, because user process C exits abnormally, the owner of this
mm becomes A. When A calls unuse_mm and exits, this mm->ower
still points to the A that has been released.
When B accesses this mm->owner again, A has been released.
Process A Process B
do_exit() page fault
exit_mm() access mm->owner
can't update owner kernel Oops
Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
Cc: Jason Wang <jasowang@xxxxxxxxxx>
Signed-off-by: guomin chen <gchen.guomin@xxxxxxxxx>
drivers/vhost/vhost.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 6b98d8e..7f8586a 100644
@@ -368,6 +368,10 @@ static int vhost_worker(void *data)
+ /* current->mm needs to be processed by the later exit_mm() */
+ current->mm = dev->mm;