Commit 4b608023 authored by David Rientjes's avatar David Rientjes Committed by james toy

fix race, add pid & comm to message

On Tue, 10 Nov 2009, akpm@linux-foundation.org wrote:

> diff -puN mm/oom_kill.c~oom-kill-show-virtual-size-and-rss-information-of-the-killed-process mm/oom_kill.c
> --- a/mm/oom_kill.c~oom-kill-show-virtual-size-and-rss-information-of-the-killed-process
> +++ a/mm/oom_kill.c
> @@ -352,6 +352,8 @@ static void dump_header(gfp_t gfp_mask,
>  		dump_tasks(mem);
>  }
>
> +#define K(x) ((x) << (PAGE_SHIFT-10))
> +
>  /*
>   * Send SIGKILL to the selected  process irrespective of  CAP_SYS_RAW_IO
>   * flag though it's unlikely that  we select a process with CAP_SYS_RAW_IO
> @@ -371,9 +373,16 @@ static void __oom_kill_task(struct task_
>  		return;
>  	}
>
> -	if (verbose)
> -		printk(KERN_ERR "Killed process %d (%s)\n",
> -				task_pid_nr(p), p->comm);
> +	if (verbose) {
> +		task_lock(p);
> +		printk(KERN_ERR "Killed process %d (%s) "
> +		       "vsz:%lukB, anon-rss:%lukB, file-rss:%lukB\n",
> +		       task_pid_nr(p), p->comm,
> +		       K(p->mm->total_vm),
> +		       K(get_mm_counter(p->mm, anon_rss)),
> +		       K(get_mm_counter(p->mm, file_rss)));
> +		task_unlock(p);
> +	}
>
>  	/*
>  	 * We give our sacrificial lamb high priority and access to

There's a race there which can dereference a NULL p->mm.

p->mm is protected by task_lock(), but there's no check added here that
ensures p->mm is still valid.  The previous check for !p->mm in
__oom_kill_task() is not protected by task_lock(), so there's a race:

	select_bad_process()
	oom_kill_process(p)
					do_exit()
					exit_signals(p) /* PF_EXITING */
	oom_kill_task(p)
	__oom_kill_task(p)
					exit_mm(p)
					task_lock(p)
					p->mm = NULL
					task_unlock(p)
	printk() of p->mm->total_vm

Please merge this as a fix.
Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
Reviewed-by: default avatarKOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
parent 610a143d
...@@ -367,22 +367,23 @@ static void __oom_kill_task(struct task_struct *p, int verbose) ...@@ -367,22 +367,23 @@ static void __oom_kill_task(struct task_struct *p, int verbose)
return; return;
} }
task_lock(p);
if (!p->mm) { if (!p->mm) {
WARN_ON(1); WARN_ON(1);
printk(KERN_WARNING "tried to kill an mm-less task!\n"); printk(KERN_WARNING "tried to kill an mm-less task %d (%s)!\n",
task_pid_nr(p), p->comm);
task_unlock(p);
return; return;
} }
if (verbose) { if (verbose)
task_lock(p);
printk(KERN_ERR "Killed process %d (%s) " printk(KERN_ERR "Killed process %d (%s) "
"vsz:%lukB, anon-rss:%lukB, file-rss:%lukB\n", "vsz:%lukB, anon-rss:%lukB, file-rss:%lukB\n",
task_pid_nr(p), p->comm, task_pid_nr(p), p->comm,
K(p->mm->total_vm), K(p->mm->total_vm),
K(get_mm_counter(p->mm, anon_rss)), K(get_mm_counter(p->mm, anon_rss)),
K(get_mm_counter(p->mm, file_rss))); K(get_mm_counter(p->mm, file_rss)));
task_unlock(p); task_unlock(p);
}
/* /*
* We give our sacrificial lamb high priority and access to * We give our sacrificial lamb high priority and access to
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment