diff options
| author | Dave Peterson <dsp@llnl.gov> | 2006-04-19 01:20:44 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-04-19 12:13:50 -0400 |
| commit | 013159227b840dfd441bd2e4c8b4d77ffb3cc42e (patch) | |
| tree | 15bd8349b4a105efc75c77dcd0c1a579ecd87ab4 | |
| parent | 97c2c9b84d0c1edf4926b13661d5af3f0edccbce (diff) | |
[PATCH] mm: fix mm_struct reference counting bugs in mm/oom_kill.c
Fix oom_kill_task() so it doesn't call mmput() (which may sleep) while
holding tasklist_lock.
Signed-off-by: David S. Peterson <dsp@llnl.gov>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
| -rw-r--r-- | mm/oom_kill.c | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/mm/oom_kill.c b/mm/oom_kill.c index 9a643c4bf77c..042e6436c3ee 100644 --- a/mm/oom_kill.c +++ b/mm/oom_kill.c | |||
| @@ -254,17 +254,24 @@ static void __oom_kill_task(task_t *p, const char *message) | |||
| 254 | force_sig(SIGKILL, p); | 254 | force_sig(SIGKILL, p); |
| 255 | } | 255 | } |
| 256 | 256 | ||
| 257 | static struct mm_struct *oom_kill_task(task_t *p, const char *message) | 257 | static int oom_kill_task(task_t *p, const char *message) |
| 258 | { | 258 | { |
| 259 | struct mm_struct *mm = get_task_mm(p); | 259 | struct mm_struct *mm; |
| 260 | task_t * g, * q; | 260 | task_t * g, * q; |
| 261 | 261 | ||
| 262 | if (!mm) | 262 | mm = p->mm; |
| 263 | return NULL; | 263 | |
| 264 | if (mm == &init_mm) { | 264 | /* WARNING: mm may not be dereferenced since we did not obtain its |
| 265 | mmput(mm); | 265 | * value from get_task_mm(p). This is OK since all we need to do is |
| 266 | return NULL; | 266 | * compare mm to q->mm below. |
| 267 | } | 267 | * |
| 268 | * Furthermore, even if mm contains a non-NULL value, p->mm may | ||
| 269 | * change to NULL at any time since we do not hold task_lock(p). | ||
| 270 | * However, this is of no concern to us. | ||
| 271 | */ | ||
| 272 | |||
| 273 | if (mm == NULL || mm == &init_mm) | ||
| 274 | return 1; | ||
| 268 | 275 | ||
| 269 | __oom_kill_task(p, message); | 276 | __oom_kill_task(p, message); |
| 270 | /* | 277 | /* |
| @@ -276,13 +283,12 @@ static struct mm_struct *oom_kill_task(task_t *p, const char *message) | |||
| 276 | __oom_kill_task(q, message); | 283 | __oom_kill_task(q, message); |
| 277 | while_each_thread(g, q); | 284 | while_each_thread(g, q); |
| 278 | 285 | ||
| 279 | return mm; | 286 | return 0; |
| 280 | } | 287 | } |
| 281 | 288 | ||
| 282 | static struct mm_struct *oom_kill_process(struct task_struct *p, | 289 | static int oom_kill_process(struct task_struct *p, unsigned long points, |
| 283 | unsigned long points, const char *message) | 290 | const char *message) |
| 284 | { | 291 | { |
| 285 | struct mm_struct *mm; | ||
| 286 | struct task_struct *c; | 292 | struct task_struct *c; |
| 287 | struct list_head *tsk; | 293 | struct list_head *tsk; |
| 288 | 294 | ||
| @@ -293,9 +299,8 @@ static struct mm_struct *oom_kill_process(struct task_struct *p, | |||
| 293 | c = list_entry(tsk, struct task_struct, sibling); | 299 | c = list_entry(tsk, struct task_struct, sibling); |
| 294 | if (c->mm == p->mm) | 300 | if (c->mm == p->mm) |
| 295 | continue; | 301 | continue; |
| 296 | mm = oom_kill_task(c, message); | 302 | if (!oom_kill_task(c, message)) |
| 297 | if (mm) | 303 | return 0; |
| 298 | return mm; | ||
| 299 | } | 304 | } |
| 300 | return oom_kill_task(p, message); | 305 | return oom_kill_task(p, message); |
| 301 | } | 306 | } |
| @@ -310,7 +315,6 @@ static struct mm_struct *oom_kill_process(struct task_struct *p, | |||
| 310 | */ | 315 | */ |
| 311 | void out_of_memory(struct zonelist *zonelist, gfp_t gfp_mask, int order) | 316 | void out_of_memory(struct zonelist *zonelist, gfp_t gfp_mask, int order) |
| 312 | { | 317 | { |
| 313 | struct mm_struct *mm = NULL; | ||
| 314 | task_t *p; | 318 | task_t *p; |
| 315 | unsigned long points = 0; | 319 | unsigned long points = 0; |
| 316 | 320 | ||
| @@ -330,12 +334,12 @@ void out_of_memory(struct zonelist *zonelist, gfp_t gfp_mask, int order) | |||
| 330 | */ | 334 | */ |
| 331 | switch (constrained_alloc(zonelist, gfp_mask)) { | 335 | switch (constrained_alloc(zonelist, gfp_mask)) { |
| 332 | case CONSTRAINT_MEMORY_POLICY: | 336 | case CONSTRAINT_MEMORY_POLICY: |
| 333 | mm = oom_kill_process(current, points, | 337 | oom_kill_process(current, points, |
| 334 | "No available memory (MPOL_BIND)"); | 338 | "No available memory (MPOL_BIND)"); |
| 335 | break; | 339 | break; |
| 336 | 340 | ||
| 337 | case CONSTRAINT_CPUSET: | 341 | case CONSTRAINT_CPUSET: |
| 338 | mm = oom_kill_process(current, points, | 342 | oom_kill_process(current, points, |
| 339 | "No available memory in cpuset"); | 343 | "No available memory in cpuset"); |
| 340 | break; | 344 | break; |
| 341 | 345 | ||
| @@ -357,8 +361,7 @@ retry: | |||
| 357 | panic("Out of memory and no killable processes...\n"); | 361 | panic("Out of memory and no killable processes...\n"); |
| 358 | } | 362 | } |
| 359 | 363 | ||
| 360 | mm = oom_kill_process(p, points, "Out of memory"); | 364 | if (oom_kill_process(p, points, "Out of memory")) |
| 361 | if (!mm) | ||
| 362 | goto retry; | 365 | goto retry; |
| 363 | 366 | ||
| 364 | break; | 367 | break; |
| @@ -367,8 +370,6 @@ retry: | |||
| 367 | out: | 370 | out: |
| 368 | read_unlock(&tasklist_lock); | 371 | read_unlock(&tasklist_lock); |
| 369 | cpuset_unlock(); | 372 | cpuset_unlock(); |
| 370 | if (mm) | ||
| 371 | mmput(mm); | ||
| 372 | 373 | ||
| 373 | /* | 374 | /* |
| 374 | * Give "p" a good chance of killing itself before we | 375 | * Give "p" a good chance of killing itself before we |