on CONFIG_MM_OWNER=y (that is automatically turned on by mem-cgroup),
kernel panic is possible by following scenario in mm_update_next_owner().

1. mm_update_next_owner() is called.
2. found caller task in do_each_thread() loop.
3. thus, BUG_ON(c == p) is true, it become kernel panic.

end up, We should left out current task.


Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
CC: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
CC: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
CC: Balbir Singh <balbir@linux.vnet.ibm.com>

---
 kernel/exit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: b/kernel/exit.c
===================================================================
--- a/kernel/exit.c     2008-05-04 22:57:23.000000000 +0900
+++ b/kernel/exit.c     2008-05-06 15:01:26.000000000 +0900
@@ -627,7 +627,7 @@ retry:
         * here often
         */
        do_each_thread(g, c) {
-               if (c->mm == mm)
+               if ((c != p) && (c->mm == mm))
                        goto assign_new_owner;
        } while_each_thread(g, c);


--

That is not possible. If you look at where mm_update_next_owner() is called
from, we call it from

exit_mm() and exec_mmap()

In both cases, we ensure that the task's mm has changed (to NULL and the new mm
respectively), before we call mm_update_next_owner(), hence c->mm can never be
equal to p->mm.

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL
--

if so, following patch is needed instead.



---
 fs/exec.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: b/fs/exec.c
===================================================================
--- a/fs/exec.c 2008-05-04 22:57:09.000000000 +0900
+++ b/fs/exec.c 2008-05-06 15:40:35.000000000 +0900
@@ -735,7 +735,7 @@ static int exec_mmap(struct mm_struct *m
        tsk->active_mm = mm;
        activate_mm(active_mm, mm);
        task_unlock(tsk);
-       mm_update_next_owner(mm);
+       mm_update_next_owner(old_mm);
        arch_pick_mmap_layout(mm);
        if (old_mm) {
                up_read(&old_mm->mmap_sem);


--

Yes, good catch.

Acked-by: Balbir Singh <balbir@linux.vnet.ibm.com>

I'll go ahead and do some more testing on top of it. CC'ing Paul Menage as well.

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL
--

and, one more.

comment of owner member of mm_struct is bogus.
that is not guranteed point to thread-group-leader.


Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>

---
 include/linux/mm_types.h |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Index: b/include/linux/mm_types.h
===================================================================
--- a/include/linux/mm_types.h  2008-05-04 22:56:52.000000000 +0900
+++ b/include/linux/mm_types.h  2008-05-06 15:53:04.000000000 +0900
@@ -231,8 +231,7 @@ struct mm_struct {
        rwlock_t                ioctx_list_lock;        /* aio lock */
        struct kioctx           *ioctx_list;
 #ifdef CONFIG_MM_OWNER
-       struct task_struct *owner;      /* The thread group leader that */
-                                       /* owns the mm_struct.          */
+       struct task_struct *owner;      /* point to one of task that owns the mm_struct. */
 #endif

 #ifdef CONFIG_PROC_FS



--

How about just, the task that owns the mm_struct? One of, implies multiple owners.


-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL
--

Ah, below is better?

/* point to any one of task that related the mm_struct. */


my intention is only remove "thread group leader" word.
other things, I obey your favor. 

Cheers!



--

On Mon, May 5, 2008 at 11:43 PM, KOSAKI Motohiro

I'd word it as

/*
 * "owner" points to a task that is regarded as the canonical
 * user/owner of this mm. All of the following must be true in
 * order for it to be changed:
 *
 * current == mm->owner
 * current->mm != mm
 * new_owner->mm == mm
 * new_owner->alloc_lock is held
 */

Paul
--

Wow, Thank you a lot!
new version attached.

Cheers!


-----------------------------------------------------------
When mm destruct happend, We should pass mm_update_next_owner() 
old mm.
but unfortunately new mm is passed in exec_mmap().

thus, kernel panic is possible when multi thread process use exec().


and, owner member comment description is wrong.
mm->owner don't not necessarily point to thread group leader.


Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
CC: Balbir Singh <balbir@linux.vnet.ibm.com>
CC: "Paul Menage" <menage@google.com>
CC: "KAMEZAWA Hiroyuki" <kamezawa.hiroyu@jp.fujitsu.com>

---
 fs/exec.c                |    2 +-
 include/linux/mm_types.h |   13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

Index: b/fs/exec.c
===================================================================
--- a/fs/exec.c	2008-05-04 22:57:09.000000000 +0900
+++ b/fs/exec.c	2008-05-06 15:40:35.000000000 +0900
@@ -735,7 +735,7 @@ static int exec_mmap(struct mm_struct *m
 	tsk->active_mm = mm;
 	activate_mm(active_mm, mm);
 	task_unlock(tsk);
-	mm_update_next_owner(mm);
+	mm_update_next_owner(old_mm);
 	arch_pick_mmap_layout(mm);
 	if (old_mm) {
 		up_read(&old_mm->mmap_sem);
Index: b/include/linux/mm_types.h
===================================================================
--- a/include/linux/mm_types.h	2008-05-08 09:20:13.000000000 +0900
+++ b/include/linux/mm_types.h	2008-05-08 09:22:13.000000000 +0900
@@ -231,8 +231,17 @@ struct mm_struct {
 	rwlock_t		ioctx_list_lock;	/* aio lock */
 	struct kioctx		*ioctx_list;
 #ifdef CONFIG_MM_OWNER
-	struct task_struct *owner;	/* The thread group leader that */
-					/* owns the mm_struct.		*/
+        /*
+         * "owner" points to a task that is regarded as the canonical
+         * user/owner of this mm. All of the following must be true in
+         * order for it to be changed:
+         *
+         * current == mm->owner
+         ...
[ message continues ]

Looks good to me, but I've not tested it

Acked-by: Balbir Singh <balbir@linux.vnet.ibm.com>

-- 
	Warm Regards,
	Balbir Singh
	Linux Technology Center
	IBM, ISTL
--