From: Ingo Molnar <mingo@elte.hu>
To: Nathan Lynch <nathanl@austin.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>,
rusty@rustcorp.com.au, paulus@au1.ibm.com,
linux-kernel@vger.kernel.org
Subject: Re: [BUG] mm_struct leak on cpu hotplug (s390/ppc64)
Date: Wed, 5 Jan 2005 12:08:33 +0100 [thread overview]
Message-ID: <20050105110833.GA14956@elte.hu> (raw)
In-Reply-To: <1104892877.8954.27.camel@localhost.localdomain>
* Nathan Lynch <nathanl@austin.ibm.com> wrote:
> What about something like this? Tested on ppc64.
> migrate_nr_uninterruptible(rq);
> BUG_ON(rq->nr_running != 0);
>
> + /* Must manually drop reference to avoid leaking mm_structs. */
> + mmdrop(rq->idle->active_mm);
> +
> /* No need to migrate the tasks: it was best-effort if
> * they didn't do lock_cpu_hotplug(). Just wake up
> * the requestors. */
this doesnt look correct to me, because we might end up pulling the rug
(the pagetables) from under the idle task on that CPU. This can happen
in two ways: 1) there's no direct synchronization between a dead CPU
having called into cpu_die() and the downing CPU doing the mmdrop(), so
we might end up dropping it before the idle has entered the final loop
and is still executing kernel code, 2) even when the dead idle task is
already in its final loop there's no generic guarantee that an mmdrop()
can be done - e.g. on x86 the kernel pagetables are mixed up with the
user pagetables and an mmdrop() in case of lazy-TLB might end up zapping
the idle task's pagetables which might break in subtle ways.
the correct solution i think would be to call back into the scheduler
from cpu_die():
void cpu_die(void)
{
if (ppc_md.cpu_die)
ppc_md.cpu_die();
+ idle_task_exit();
local_irq_disable();
for (;;);
}
and then in idle_task_exit(), do something like:
void idle_task_exit(void)
{
struct mm_struct *mm = current->active_mm;
if (mm != &init_mm)
switch_mm(mm, &init_mm, current);
mmdrop(mm);
}
(completely untested.) This makes sure that the idle task uses the
init_mm (which always has valid pagetables), and also ensures correct
reference-counting. Hm?
Ingo
next prev parent reply other threads:[~2005-01-05 11:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-04 13:11 [BUG] mm_struct leak on cpu hotplug (s390/ppc64) Heiko Carstens
2005-01-05 2:41 ` Nathan Lynch
2005-01-05 11:08 ` Ingo Molnar [this message]
2005-01-05 14:22 ` Heiko Carstens
2005-01-05 15:44 ` Nathan Lynch
2005-01-07 11:43 ` Ingo Molnar
2005-01-07 21:43 ` [PATCH] introduce idle_task_exit Nathan Lynch
2005-01-07 21:44 ` [PATCH] ppc64: call idle_task_exit from cpu_die Nathan Lynch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050105110833.GA14956@elte.hu \
--to=mingo@elte.hu \
--cc=heiko.carstens@de.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nathanl@austin.ibm.com \
--cc=paulus@au1.ibm.com \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).