From: Peter Zijlstra <peterz@infradead.org>
To: Mike Galbraith <efault@gmx.de>
Cc: Ingo Molnar <mingo@elte.hu>,
Miklos Vajna <vmiklos@frugalware.org>,
shenghui <crosslonelyover@gmail.com>,
kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org,
Greg KH <greg@kroah.com>, Paul Turner <pjt@google.com>,
Yong Zhang <yong.zhang0@gmail.com>,
Li Zefan <lizf@cn.fujitsu.com>, Paul Menage <menage@google.com>,
Balbir Singh <balbir@linux.vnet.ibm.com>,
Srivatsa Vaddagiri <vatsa@in.ibm.com>
Subject: Re: [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid
Date: Mon, 03 Jan 2011 08:21:25 +0000 [thread overview]
Message-ID: <1294042885.2016.11.camel@laptop> (raw)
In-Reply-To: <1293784350.6839.2.camel@marge.simson.net>
On Fri, 2010-12-31 at 09:32 +0100, Mike Galbraith wrote:
> sched: fix autogroup reference leak and cpu_cgroup_exit() explosion
>
> In the event of a fork failure, the new cpu_cgroup_exit() method tries to
> move an unhashed task. Since PF_EXITING isn't set in that case, autogroup
> will dig aground in a freed signal_struct. Neither cgroups nor autogroup
> has anything it needs to do with this shade, so don't go there.
>
> This also uncovered a struct autogroup reference leak. copy_process() was
> simply freeing vs putting the signal_struct, stranding a reference.
>
> Signed-off-by: Mike Galbraith <efault@gmx.de>
>
> ---
> kernel/fork.c | 2 +-
> kernel/sched.c | 10 ++++++++++
> 2 files changed, 11 insertions(+), 1 deletion(-)
>
> Index: linux-2.6.37.git/kernel/fork.c
> =================================> --- linux-2.6.37.git.orig/kernel/fork.c
> +++ linux-2.6.37.git/kernel/fork.c
> @@ -1318,7 +1318,7 @@ bad_fork_cleanup_mm:
> }
> bad_fork_cleanup_signal:
> if (!(clone_flags & CLONE_THREAD))
> - free_signal_struct(p->signal);
> + put_signal_struct(p->signal);
> bad_fork_cleanup_sighand:
> __cleanup_sighand(p->sighand);
> bad_fork_cleanup_fs:
> Index: linux-2.6.37.git/kernel/sched.c
> =================================> --- linux-2.6.37.git.orig/kernel/sched.c
> +++ linux-2.6.37.git/kernel/sched.c
> @@ -9193,6 +9193,16 @@ cpu_cgroup_attach(struct cgroup_subsys *
> static void
> cpu_cgroup_exit(struct cgroup_subsys *ss, struct task_struct *task)
> {
> + /*
> + * cgroup_exit() is called in the copy_process failure path.
> + * The task isn't hashed, and we don't want to make autogroup
> + * dig into a freed signal_struct, so just go away.
> + *
> + * XXX: why are cgroup methods diddling unattached tasks?
> + */
> + if (!(task->flags & PF_EXITING))
> + return;
> +
> sched_move_task(task);
> }
Ah, that looks plausible. I've folded this chunk into my patch and kept
your fork-fail mod in a separate patch.
WARNING: multiple messages have this Message-ID (diff)
From: Peter Zijlstra <peterz@infradead.org>
To: Mike Galbraith <efault@gmx.de>
Cc: Ingo Molnar <mingo@elte.hu>,
Miklos Vajna <vmiklos@frugalware.org>,
shenghui <crosslonelyover@gmail.com>,
kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org,
Greg KH <greg@kroah.com>, Paul Turner <pjt@google.com>,
Yong Zhang <yong.zhang0@gmail.com>,
Li Zefan <lizf@cn.fujitsu.com>, Paul Menage <menage@google.com>,
Balbir Singh <balbir@linux.vnet.ibm.com>,
Srivatsa Vaddagiri <vatsa@in.ibm.com>
Subject: Re: [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash
Date: Mon, 03 Jan 2011 09:21:25 +0100 [thread overview]
Message-ID: <1294042885.2016.11.camel@laptop> (raw)
In-Reply-To: <1293784350.6839.2.camel@marge.simson.net>
On Fri, 2010-12-31 at 09:32 +0100, Mike Galbraith wrote:
> sched: fix autogroup reference leak and cpu_cgroup_exit() explosion
>
> In the event of a fork failure, the new cpu_cgroup_exit() method tries to
> move an unhashed task. Since PF_EXITING isn't set in that case, autogroup
> will dig aground in a freed signal_struct. Neither cgroups nor autogroup
> has anything it needs to do with this shade, so don't go there.
>
> This also uncovered a struct autogroup reference leak. copy_process() was
> simply freeing vs putting the signal_struct, stranding a reference.
>
> Signed-off-by: Mike Galbraith <efault@gmx.de>
>
> ---
> kernel/fork.c | 2 +-
> kernel/sched.c | 10 ++++++++++
> 2 files changed, 11 insertions(+), 1 deletion(-)
>
> Index: linux-2.6.37.git/kernel/fork.c
> ===================================================================
> --- linux-2.6.37.git.orig/kernel/fork.c
> +++ linux-2.6.37.git/kernel/fork.c
> @@ -1318,7 +1318,7 @@ bad_fork_cleanup_mm:
> }
> bad_fork_cleanup_signal:
> if (!(clone_flags & CLONE_THREAD))
> - free_signal_struct(p->signal);
> + put_signal_struct(p->signal);
> bad_fork_cleanup_sighand:
> __cleanup_sighand(p->sighand);
> bad_fork_cleanup_fs:
> Index: linux-2.6.37.git/kernel/sched.c
> ===================================================================
> --- linux-2.6.37.git.orig/kernel/sched.c
> +++ linux-2.6.37.git/kernel/sched.c
> @@ -9193,6 +9193,16 @@ cpu_cgroup_attach(struct cgroup_subsys *
> static void
> cpu_cgroup_exit(struct cgroup_subsys *ss, struct task_struct *task)
> {
> + /*
> + * cgroup_exit() is called in the copy_process failure path.
> + * The task isn't hashed, and we don't want to make autogroup
> + * dig into a freed signal_struct, so just go away.
> + *
> + * XXX: why are cgroup methods diddling unattached tasks?
> + */
> + if (!(task->flags & PF_EXITING))
> + return;
> +
> sched_move_task(task);
> }
Ah, that looks plausible. I've folded this chunk into my patch and kept
your fork-fail mod in a separate patch.
next prev parent reply other threads:[~2011-01-03 8:21 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-29 7:10 [PATCH] avoid race condition in pick_next_task_fair in shenghui
2010-06-29 7:10 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c shenghui
2010-06-29 10:43 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-06-29 10:43 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-06-29 11:24 ` [PATCH] avoid race condition in pick_next_task_fair in shenghui
2010-06-29 11:24 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c shenghui
2010-06-29 11:35 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-06-29 11:35 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-06-29 12:44 ` [PATCH] avoid race condition in pick_next_task_fair in shenghui
2010-06-29 12:44 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c shenghui
2010-12-19 2:03 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-19 2:03 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 0:22 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 0:22 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 8:29 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 8:29 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in Mike Galbraith
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Mike Galbraith
2010-12-22 9:07 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 9:07 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 13:31 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 13:31 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 14:00 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 14:00 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 14:11 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 14:11 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 15:14 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 15:14 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 15:25 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 15:25 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 17:08 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 17:08 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 17:16 ` [PATCH] avoid race condition in pick_next_task_fair in Ingo Molnar
2010-12-22 17:16 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Ingo Molnar
2010-12-22 17:25 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 17:25 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 20:36 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 20:36 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-23 2:08 ` Yong Zhang
2010-12-23 2:08 ` Yong Zhang
2010-12-23 12:12 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-23 12:12 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-23 12:33 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-23 12:33 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-23 18:24 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-23 18:24 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
[not found] ` <1293132304.6798.6.camel@marge.simson.net>
[not found] ` <1293132862.25981.22.camel@laptop>
[not found] ` <1293187425.7138.2.camel@marge.simson.net>
[not found] ` <1293188091.25981.200.camel@laptop>
[not found] ` <1293192999.18035.4.camel@marge.simson.net>
2010-12-24 15:59 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2010-12-24 15:59 ` Peter Zijlstra
2010-12-24 16:40 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Miklos Vajna
2010-12-24 16:40 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Miklos Vajna
2010-12-24 16:48 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Mike Galbraith
2010-12-24 16:48 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2010-12-24 17:07 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Peter Zijlstra
2010-12-24 17:07 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2010-12-24 17:24 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Mike Galbraith
2010-12-24 17:24 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2010-12-25 17:55 ` Balbir Singh
2010-12-25 18:07 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Balbir Singh
2010-12-25 20:59 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Paul Menage
2011-01-03 7:06 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Peter Zijlstra
2011-01-03 7:06 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2010-12-29 15:25 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Ingo Molnar
2010-12-29 15:25 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Ingo Molnar
2010-12-29 23:07 ` Miklos Vajna
2010-12-31 10:04 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Mike Galbraith
2010-12-31 10:04 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2010-12-31 10:46 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Miklos Vajna
2010-12-31 10:46 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Miklos Vajna
2010-12-31 8:32 ` [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid Mike Galbraith
2010-12-31 8:32 ` [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2011-01-03 8:21 ` Peter Zijlstra [this message]
2011-01-03 8:21 ` Peter Zijlstra
2011-01-04 14:19 ` [tip:sched/core] sched, autogroup: Fix reference leak tip-bot for Mike Galbraith
2011-01-04 14:57 ` Oleg Nesterov
2011-01-04 19:06 ` Mike Galbraith
2011-01-19 19:04 ` [tip:sched/urgent] sched, cgroup: Use exit hook to avoid use-after-free crash tip-bot for Peter Zijlstra
2010-12-22 21:11 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 21:11 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 23:39 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 23:39 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1294042885.2016.11.camel@laptop \
--to=peterz@infradead.org \
--cc=balbir@linux.vnet.ibm.com \
--cc=crosslonelyover@gmail.com \
--cc=efault@gmx.de \
--cc=greg@kroah.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizf@cn.fujitsu.com \
--cc=menage@google.com \
--cc=mingo@elte.hu \
--cc=pjt@google.com \
--cc=vatsa@in.ibm.com \
--cc=vmiklos@frugalware.org \
--cc=yong.zhang0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.