From: Oleg Nesterov <oleg@tv-sign.ru>
To: Jean Delvare <jdelvare@suse.de>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@osdl.org>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
linux-kernel@vger.kernel.org, ak@suse.de
Subject: Re: [PATCH] proc: readdir race fix (take 3)
Date: Thu, 7 Sep 2006 02:25:56 +0400 [thread overview]
Message-ID: <20060906222556.GA168@oleg> (raw)
In-Reply-To: <200609062312.57774.jdelvare@suse.de>
On 09/06, Jean Delvare wrote:
>
> On Wednesday 6 September 2006 11:01, Jean Delvare wrote:
> > Eric, Kame, thanks a lot for working on this. I'll be giving some good
> > testing to this patch today, and will return back to you when I'm done.
>
> The original issue is indeed fixed, but there's a problem with the patch.
> When stressing /proc (to verify the bug was fixed), my test machine ended
> up crashing. Here are the 2 traces I found in the logs:
>
> Sep 6 12:06:00 arrakis kernel: BUG: warning at
> kernel/fork.c:113/__put_task_struct()
> Sep 6 12:06:00 arrakis kernel: [<c0115f93>] __put_task_struct+0xf3/0x100
> Sep 6 12:06:00 arrakis kernel: [<c019666a>] proc_pid_readdir+0x13a/0x150
> Sep 6 12:06:00 arrakis kernel: [<c01745f0>] vfs_readdir+0x80/0xa0
> Sep 6 12:06:00 arrakis kernel: [<c0174750>] filldir+0x0/0xd0
> Sep 6 12:06:00 arrakis kernel: [<c017488c>] sys_getdents+0x6c/0xb0
> Sep 6 12:06:00 arrakis kernel: [<c0174750>] filldir+0x0/0xd0
> Sep 6 12:06:00 arrakis kernel: [<c0102fb7>] syscall_call+0x7/0xb
I think there is a bug in next_tgid(),
> -static struct task_struct *next_tgid(struct task_struct *start)
> -{
> - struct task_struct *pos;
> + task = NULL;
> rcu_read_lock();
> - pos = start;
> - if (pid_alive(start))
> - pos = next_task(start);
> - if (pid_alive(pos) && (pos != &init_task)) {
> - get_task_struct(pos);
> - goto done;
> +retry:
> + pid = find_ge_pid(tgid);
> + if (pid) {
> + tgid = pid->nr + 1;
> + task = pid_task(pid, PIDTYPE_PID);
> + /* What we to know is if the pid we have find is the
> + * pid of a thread_group_leader. Testing for task
> + * being a thread_group_leader is the obvious thing
> + * todo but there is a window when it fails, due to
> + * the pid transfer logic in de_thread.
> + *
> + * So we perform the straight forward test of seeing
> + * if the pid we have found is the pid of a thread
> + * group leader, and don't worry if the task we have
> + * found doesn't happen to be a thread group leader.
> + * As we don't care in the case of readdir.
> + */
> + if (!task || !has_group_leader_pid(task))
> + goto retry;
> + get_task_struct(task);
> }
> - pos = NULL;
> -done:
> rcu_read_unlock();
> - put_task_struct(start);
> - return pos;
> + return task;
> }
If the task found is not a group leader, we go to retry, but
the task != NULL.
Now, if find_ge_pid(tgid) returns NULL, we return that wrong
task, and it was not get_task_struct()'ed.
Oleg.
next prev parent reply other threads:[~2006-09-06 22:26 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-25 9:29 [RFC][PATCH] ps command race fix take 4 [4/4] proc root open/release/llseek KAMEZAWA Hiroyuki
2006-09-04 23:13 ` [PATCH] proc: readdir race fix Eric W. Biederman
2006-09-05 1:30 ` KAMEZAWA Hiroyuki
2006-09-05 2:30 ` Eric W. Biederman
2006-09-05 2:41 ` KAMEZAWA Hiroyuki
2006-09-05 2:26 ` KAMEZAWA Hiroyuki
2006-09-05 2:54 ` Eric W. Biederman
2006-09-05 3:07 ` Eric W. Biederman
2006-09-05 5:39 ` KAMEZAWA Hiroyuki
2006-09-05 10:10 ` Oleg Nesterov
2006-09-05 11:36 ` Eric W. Biederman
2006-09-05 14:52 ` [PATCH] proc: readdir race fix (take 3) Eric W. Biederman
2006-09-06 9:01 ` Jean Delvare
2006-09-06 21:12 ` Jean Delvare
2006-09-06 22:25 ` Oleg Nesterov [this message]
2006-09-06 22:38 ` [PATCH] proc-readdir-race-fix-take-3-fix-3 Oleg Nesterov
2006-09-06 22:59 ` Eric W. Biederman
2006-09-08 6:38 ` Eric W. Biederman
2006-09-06 22:43 ` [PATCH] proc: readdir race fix (take 3) Eric W. Biederman
2006-09-07 8:31 ` Jean Delvare
2006-09-07 13:57 ` Eric W. Biederman
2006-09-07 18:07 ` Jean Delvare
2006-09-07 18:40 ` Eric W. Biederman
2006-09-05 5:26 ` [PATCH] proc: readdir race fix KAMEZAWA Hiroyuki
2006-09-05 5:41 ` KAMEZAWA Hiroyuki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060906222556.GA168@oleg \
--to=oleg@tv-sign.ru \
--cc=ak@suse.de \
--cc=akpm@osdl.org \
--cc=ebiederm@xmission.com \
--cc=jdelvare@suse.de \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.