From: Michel Lespinasse <walken@google.com>
To: Salman <sqazi@google.com>
Cc: peterz@infradead.org, mingo@elte.hu, akpm@inux-foundation.org,
linux-kernel@vger.kernel.org, tytso@google.com
Subject: Re: [PATCH] Fix a race in pid generation that causes pids to be reused immediately.
Date: Wed, 9 Jun 2010 04:49:03 -0700 [thread overview]
Message-ID: <20100609114903.GA9223@google.com> (raw)
In-Reply-To: <20100609062438.29081.91635.stgit@bumblebee1.mtv.corp.google.com>
On Tue, Jun 08, 2010 at 11:24:38PM -0700, Salman wrote:
> A program that repeatedly forks and waits is susceptible to having the
> same pid repeated, especially when it competes with another instance of the
> same program. This is really bad for bash implementation. Furthermore, many shell
> scripts assume that pid numbers will not be used for some length of time.
>
> Thanks to Ted Tso for the key ideas of this implementation.
>
> Signed-off-by: Salman Qazi <sqazi@google.com>
> ---
> kernel/pid.c | 11 ++++++++++-
> 1 files changed, 10 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/pid.c b/kernel/pid.c
> index e9fd8c1..8cedeab 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -153,8 +153,17 @@ static int alloc_pidmap(struct pid_namespace *pid_ns)
> if (likely(atomic_read(&map->nr_free))) {
> do {
> if (!test_and_set_bit(offset, map->page)) {
> + int prev;
> atomic_dec(&map->nr_free);
> - pid_ns->last_pid = pid;
> +
> + do {
> + prev = last;
> + last = cmpxchg(&pid_ns->last_pid,
> + prev, pid);
> + if (last >= pid)
> + break;
You should make sure to handle pid wrap-around for this last/pid comparison.
I think proper way to do that would be:
/* last is the pid we started scanning at
* last_read is the last observed value of pid_ns->last_pid
*/
last_read = last;
do {
prev = last_read;
last_read = cmpxchg(&pid_ns->last_pid, prev, pid);
/* Exit if one of these conditions is true:
* - cmpxchg succeeded
* - last <= pid <= last_read (other thread already bumped last_pid)
* - last_read <= last <= pid (same with wraparound)
* - pid <= last_read <= last (same with different wraparound)
*/
} while (last_read != prev &&
(last > pid || pid > last_read) &&
(last_read > last || last > pid) &&
(pid > last_read || last_read > last));
The last_read == pid case is also interesting - it means another thread found
the same pid, forked a child with that pid, and the child exited already
(since the bitmap was cleared). However we don't need to handle that case -
first, that race is much less likely to happen, and second, the duplicate
pid would be returned in two separate tasks - so this would not cause problems
in bash as in your example.
--
Michel "Walken" Lespinasse
A program is never fully debugged until the last user dies.
next prev parent reply other threads:[~2010-06-09 11:49 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-09 6:24 [PATCH] Fix a race in pid generation that causes pids to be reused immediately Salman
2010-06-09 6:53 ` Andi Kleen
2010-06-09 9:48 ` Ingo Molnar
2010-06-09 15:39 ` Linus Torvalds
2010-06-09 15:50 ` tytso
2010-06-09 16:06 ` Linus Torvalds
2010-06-09 17:10 ` tytso
2010-06-09 17:23 ` Linus Torvalds
2010-06-09 17:25 ` Linus Torvalds
2010-06-09 17:34 ` tytso
2010-06-09 17:43 ` Linus Torvalds
2010-06-09 17:47 ` tytso
2010-06-09 18:09 ` Salman Qazi
2010-06-09 11:49 ` Michel Lespinasse [this message]
2010-06-09 12:37 ` tytso
2010-06-09 12:17 ` tytso
-- strict thread matches above, loose matches on Subject: below --
2010-06-09 21:00 Salman
2010-06-09 21:21 ` Linus Torvalds
2010-06-09 21:33 ` Peter Zijlstra
2010-06-09 22:20 ` Linus Torvalds
2010-06-09 22:27 ` Linus Torvalds
2010-06-10 0:08 ` Salman Qazi
2010-06-10 0:20 ` Linus Torvalds
[not found] ` <AANLkTilXJ0X2qxD9cNTlLayKzySEZu1HEZUWu--Go8kw@mail.gmail.com>
2010-06-10 5:55 ` Salman Qazi
2010-06-10 16:39 ` Linus Torvalds
2010-06-10 20:09 Salman
2010-06-10 20:38 ` tytso
2010-06-10 21:04 ` Salman Qazi
2010-06-10 21:24 Salman
2010-06-11 17:17 Salman
2010-06-11 17:44 ` Linus Torvalds
2010-06-11 22:49 ` Salman
2010-06-11 23:07 ` Linus Torvalds
2010-06-14 23:58 ` Andrew Morton
2010-06-15 0:56 ` tytso
2010-06-15 1:55 ` Andrew Morton
2010-06-15 3:26 ` Paul Mackerras
2010-06-15 4:21 ` Andrew Morton
2010-06-15 4:38 ` Eric Dumazet
2010-06-15 6:57 ` Benjamin Herrenschmidt
2010-06-15 7:25 ` Paul Mackerras
2010-06-15 12:56 ` tytso
2010-06-15 13:06 ` Kyle McMartin
2010-06-15 14:35 ` Peter Zijlstra
2010-06-15 19:37 ` Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100609114903.GA9223@google.com \
--to=walken@google.com \
--cc=akpm@inux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=peterz@infradead.org \
--cc=sqazi@google.com \
--cc=tytso@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.