)]}'
{
  "log": [
    {
      "commit": "298359c5bf06c04258d7cf552426e198c47e83c1",
      "tree": "d8ba710675a2e4e9dabbc9ee06a4445fb5657ce5",
      "parents": [
        "53feb29767c29c877f9d47dcfe14211b5b0f7ebd"
      ],
      "author": {
        "name": "Michael S. Tsirkin",
        "email": "mst@redhat.com",
        "time": "Tue Mar 23 13:35:37 2010 -0700"
      },
      "committer": {
        "name": "Linus Torvalds",
        "email": "torvalds@linux-foundation.org",
        "time": "Wed Mar 24 16:31:21 2010 -0700"
      },
      "message": "exit: fix oops in sync_mm_rss\n\nIn 2.6.34-rc1, removing vhost_net module causes an oops in sync_mm_rss\n(called from do_exit) when workqueue is destroyed.  This does not happen\non net-next, or with vhost on top of to 2.6.33.\n\nThe issue seems to be introduced by\n34e55232e59f7b19050267a05ff1226e5cd122a5 (\"mm: avoid false sharing of\nmm_counter) which added sync_mm_rss() that is passed task-\u003emm, and\ndereferences it without checking.  If task is a kernel thread, mm might be\nNULL.  I think this might also happen e.g.  with aio.\n\nThis patch fixes the oops by calling sync_mm_rss when task-\u003emm is set to\nNULL.  I also added BUG_ON to detect any other cases where counters get\nincremented while mm is NULL.\n\nThe oops I observed looks like this:\n\nBUG: unable to handle kernel NULL pointer dereference at 00000000000002a8\nIP: [\u003cffffffff810b436d\u003e] sync_mm_rss+0x33/0x6f\nPGD 0\nOops: 0002 [#1] SMP\nlast sysfs file: /sys/devices/system/cpu/cpu7/cache/index2/shared_cpu_map\nCPU 2\nModules linked in: vhost_net(-) tun bridge stp sunrpc ipv6 cpufreq_ondemand acpi_cpufreq freq_table kvm_intel kvm i5000_edac edac_core rtc_cmos bnx2 button i2c_i801 i2c_core rtc_core e1000e sg joydev ide_cd_mod serio_raw pcspkr rtc_lib cdrom virtio_net virtio_blk virtio_pci virtio_ring virtio af_packet e1000 shpchp aacraid uhci_hcd ohci_hcd ehci_hcd [last unloaded: microcode]\n\nPid: 2046, comm: vhost Not tainted 2.6.34-rc1-vhost #25 System Planar/IBM System x3550 -[7978B3G]-\nRIP: 0010:[\u003cffffffff810b436d\u003e]  [\u003cffffffff810b436d\u003e] sync_mm_rss+0x33/0x6f\nRSP: 0018:ffff8802379b7e60  EFLAGS: 00010202\nRAX: 0000000000000008 RBX: ffff88023f2390c0 RCX: 0000000000000000\nRDX: ffff88023f2396b0 RSI: 0000000000000000 RDI: ffff88023f2390c0\nRBP: ffff8802379b7e60 R08: 0000000000000000 R09: 0000000000000000\nR10: ffff88023aecfbc0 R11: 0000000000013240 R12: 0000000000000000\nR13: ffffffff81051a6c R14: ffffe8ffffc0f540 R15: 0000000000000000\nFS:  0000000000000000(0000) GS:ffff880001e80000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b\nCR2: 00000000000002a8 CR3: 000000023af23000 CR4: 00000000000406e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nProcess vhost (pid: 2046, threadinfo ffff8802379b6000, task ffff88023f2390c0)\nStack:\n ffff8802379b7ee0 ffffffff81040687 ffffe8ffffc0f558 ffffffffa00a3e2d\n\u003c0\u003e 0000000000000000 ffff88023f2390c0 ffffffff81055817 ffff8802379b7e98\n\u003c0\u003e ffff8802379b7e98 0000000100000286 ffff8802379b7ee0 ffff88023ad47d78\nCall Trace:\n [\u003cffffffff81040687\u003e] do_exit+0x147/0x6c4\n [\u003cffffffffa00a3e2d\u003e] ? handle_rx_net+0x0/0x17 [vhost_net]\n [\u003cffffffff81055817\u003e] ? autoremove_wake_function+0x0/0x39\n [\u003cffffffff81051a6c\u003e] ? worker_thread+0x0/0x229\n [\u003cffffffff810553c9\u003e] kthreadd+0x0/0xf2\n [\u003cffffffff810038d4\u003e] kernel_thread_helper+0x4/0x10\n [\u003cffffffff81055342\u003e] ? kthread+0x0/0x87\n [\u003cffffffff810038d0\u003e] ? kernel_thread_helper+0x0/0x10\nCode: 00 8b 87 6c 02 00 00 85 c0 74 14 48 98 f0 48 01 86 a0 02 00 00 c7 87 6c 02 00 00 00 00 00 00 8b 87 70 02 00 00 85 c0 74 14 48 98 \u003cf0\u003e 48 01 86 a8 02 00 00 c7 87 70 02 00 00 00 00 00 00 8b 87 74\nRIP  [\u003cffffffff810b436d\u003e] sync_mm_rss+0x33/0x6f\n RSP \u003cffff8802379b7e60\u003e\nCR2: 00000000000002a8\n---[ end trace 41603ba922beddd2 ]---\nFixing recursive fault but reboot is needed!\n\n(note: handle_rx_net is a work item using workqueue in question).\nsync_mm_rss+0x33/0x6f gave me a hint. I also tried reverting\n34e55232e59f7b19050267a05ff1226e5cd122a5 and the oops goes away.\n\nThe module in question calls use_mm and later unuse_mm from a kernel\nthread.  It is when this kernel thread is destroyed that the crash\nhappens.\n\nSigned-off-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nAndrea Arcangeli \u003caarcange@redhat.com\u003e\nReviewed-by: Rik van Riel \u003criel@redhat.com\u003e\nReviewed-by: KAMEZAWA Hiroyuki \u003ckamezawa.hiroyu@jp.fujitsu.com\u003e\nReviewed-by: Minchan Kim \u003cminchan.kim@gmail.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n"
    },
    {
      "commit": "5da779c34ccff5e1e617892b6c8bd8260fb1f04c",
      "tree": "fbcaab087c066b7e4c294a9150e56bc742ebee38",
      "parents": [
        "05c2828c72c4eabf62376adfe27bd24797621f62"
      ],
      "author": {
        "name": "Michael S. Tsirkin",
        "email": "mst@redhat.com",
        "time": "Thu Jan 14 06:17:18 2010 +0000"
      },
      "committer": {
        "name": "David S. Miller",
        "email": "davem@davemloft.net",
        "time": "Fri Jan 15 01:43:28 2010 -0800"
      },
      "message": "mm: export use_mm/unuse_mm to modules\n\nvhost net module wants to do copy to/from user from a kernel thread,\nwhich needs use_mm. Export it to modules.\n\nAcked-by: Andrea Arcangeli \u003caarcange@redhat.com\u003e\nAcked-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n"
    },
    {
      "commit": "f68e14805085972b4e0b0ab684af37f713b9c262",
      "tree": "6e0cc9e1e3f29b36ec3d7acfaf863cf9bb39ea5b",
      "parents": [
        "3d2d827f5ca5e32816194119d5c980c7e04474a6"
      ],
      "author": {
        "name": "Michael S. Tsirkin",
        "email": "mst@redhat.com",
        "time": "Mon Sep 21 17:03:52 2009 -0700"
      },
      "committer": {
        "name": "Linus Torvalds",
        "email": "torvalds@linux-foundation.org",
        "time": "Tue Sep 22 07:17:42 2009 -0700"
      },
      "message": "mm: reduce atomic use on use_mm fast path\n\nWhen the mm being switched to matches the active mm, we don\u0027t need to\nincrement and then drop the mm count.  In a simple benchmark this happens\nin about 50% of time.  Making that conditional reduces contention on that\ncacheline on SMP systems.\n\nAcked-by: Andrea Arcangeli \u003caarcange@redhat.com\u003e\nSigned-off-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n"
    },
    {
      "commit": "3d2d827f5ca5e32816194119d5c980c7e04474a6",
      "tree": "fe0e84669f5f20e1dff8e3dc6b191b4d5dfc0145",
      "parents": [
        "425fbf047cc70bb30dff368a6da02c8c2d229318"
      ],
      "author": {
        "name": "Michael S. Tsirkin",
        "email": "mst@redhat.com",
        "time": "Mon Sep 21 17:03:51 2009 -0700"
      },
      "committer": {
        "name": "Linus Torvalds",
        "email": "torvalds@linux-foundation.org",
        "time": "Tue Sep 22 07:17:42 2009 -0700"
      },
      "message": "mm: move use_mm/unuse_mm from aio.c to mm/\n\nAnyone who wants to do copy to/from user from a kernel thread, needs\nuse_mm (like what fs/aio has).  Move that into mm/, to make reusing and\nexporting easier down the line, and make aio use it.  Next intended user,\nbesides aio, will be vhost-net.\n\nAcked-by: Andrea Arcangeli \u003caarcange@redhat.com\u003e\nSigned-off-by: Michael S. Tsirkin \u003cmst@redhat.com\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n"
    }
  ]
}