Sorry for the late response. I miseed your comment. :(
On Tue, May 21, 2019 at 05:31:13PM +0200, Oleg Nesterov wrote:
> On 05/20, Minchan Kim wrote:
> >
> > + rcu_read_lock();
> > + tsk = pid_task(pid, PIDTYPE_PID);
> > + if (!tsk) {
> > + rcu_read_unlock();
> > + goto err;
> > + }
> > + get_task_struct(tsk);
> > + rcu_read_unlock();
> > + mm = mm_access(tsk, PTRACE_MODE_ATTACH_REALCREDS);
> > + if (!mm || IS_ERR(mm)) {
> > + ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
> > + if (ret == -EACCES)
> > + ret = -EPERM;
> > + goto err;
> > + }
> > + ret = madvise_core(tsk, start, len_in, behavior);
>
> IIUC, madvise_core(tsk) plays with tsk->mm->mmap_sem. But this tsk can exit
> and
> nullify its ->mm right after mm_access() succeeds.
You're absolutely right. I will fix it via passing mm_struct instead of
task_struct.
Thanks!
>
> another problem is that pid_task(pid) can return a zombie leader, in this case
> mm_access() will fail while it shouldn't.
I'm sorry. I didn't notice that. However, I couldn't understand your point.
Why do you think mm_access shouldn't fail even though pid_task returns
a zombie leader? I thought it's okay since the target process is exiting
so hinting operation would be meaniness for the process.
