From 4b78041fe7d2cdaa75a4ae8d0135b227ca2c76be Mon Sep 17 00:00:00 2001
From: Andrea Arcangeli <aarcange@redhat.com>
Date: Tue, 26 Mar 2019 14:08:55 +0800
Subject: [PATCH] mm: change mm_update_next_owner() to update mm->owner with
 WRITE_ONCE

euler inclusion
category: bugfix
bugzilla: 10989
CVE: NA

------------------------------------------------

The RCU reader uses rcu_dereference() inside rcu_read_lock critical
sections, so the writer shall use WRITE_ONCE. Just a cleanup, we still
rely on gcc to emit atomic writes in other places.

Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Reviewed-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 kernel/exit.c | 6 +++---
 kernel/fork.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/exit.c b/kernel/exit.c
index e6330709df09..936333b9f25b 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -422,7 +422,7 @@ void mm_update_next_owner(struct mm_struct *mm)
 	 * freed task structure.
 	 */
 	if (atomic_read(&mm->mm_users) <= 1) {
-		mm->owner = NULL;
+		WRITE_ONCE(mm->owner, NULL);
 		return;
 	}
 
@@ -462,7 +462,7 @@ void mm_update_next_owner(struct mm_struct *mm)
 	 * most likely racing with swapoff (try_to_unuse()) or /proc or
 	 * ptrace or page migration (get_task_mm()).  Mark owner as NULL.
 	 */
-	mm->owner = NULL;
+	WRITE_ONCE(mm->owner, NULL);
 	return;
 
 assign_new_owner:
@@ -483,7 +483,7 @@ void mm_update_next_owner(struct mm_struct *mm)
 		put_task_struct(c);
 		goto retry;
 	}
-	mm->owner = c;
+	WRITE_ONCE(mm->owner, c);
 	task_unlock(c);
 	put_task_struct(c);
 }
diff --git a/kernel/fork.c b/kernel/fork.c
index a04b468c1ce2..487f392c5cef 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -961,7 +961,7 @@ static __always_inline void mm_clear_owner(struct mm_struct *mm,
 {
 #ifdef CONFIG_MEMCG
 	if (mm->owner == p)
-		mm->owner = NULL;
+		WRITE_ONCE(mm->owner, NULL);
 #endif
 }
 
-- 
GitLab