lazy-tlb-introduce-lazy-mm-refcount-helper-functions-fix

Fix a refcounting bug in kthread_use_mm (the mm reference is increased
unconditionally now, but the lazy tlb refcount is still only dropped only
if mm != active_mm).

Link: https://lkml.kernel.org/r/1623125298.bx63h3mopj.astroid@bobo.none
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>

diff --git a/kernel/kthread.c b/kernel/kthread.c
index e82a17863b098d54e7ed00a78d5a322ee4c6645b..83ed75d531b4b992548ecf179d6a74864b67322a 100644 (file)
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -1350,6 +1350,11 @@ void kthread_use_mm(struct mm_struct *mm)
        WARN_ON_ONCE(!(tsk->flags & PF_KTHREAD));
        WARN_ON_ONCE(tsk->mm);
 
+       /*
+        * It's possible that tsk->active_mm == mm here, but we must
+        * still mmgrab(mm) and mmdrop_lazy_tlb(active_mm), because lazy
+        * mm may not have its own refcount (see mmgrab/drop_lazy_tlb()).
+        */
        mmgrab(mm);
 
        task_lock(tsk);
@@ -1374,12 +1379,9 @@ void kthread_use_mm(struct mm_struct *mm)
         * memory barrier after storing to tsk->mm, before accessing
         * user-space memory. A full memory barrier for membarrier
         * {PRIVATE,GLOBAL}_EXPEDITED is implicitly provided by
-        * mmdrop(), or explicitly with smp_mb().
+        * mmdrop_lazy_tlb().
         */
-       if (active_mm != mm)
-               mmdrop_lazy_tlb(active_mm);
-       else
-               smp_mb();
+       mmdrop_lazy_tlb(active_mm);
 
        to_kthread(tsk)->oldfs = force_uaccess_begin();
 }